Valdis,
On Jul 24, 2008, at 6:05 PM, [EMAIL PROTECTED] wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of
ever
revoking that dysfunctional mess as authority is gone.
On 7/24/08, Hank Nussbacher [EMAIL PROTECTED] wrote:
On Thu, 24 Jul 2008, Jeffrey Ollie wrote:
Interestingly enough, Google just added a feature to GMail to force
secure connections:
http://googlesystem.blogspot.com/2008/07/force-gmail-to-use-secure-connection.html
Jeff
I wish
Paul Vixie wrote:
in http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278
we see this text:
The DNS attacks are starting!!!
Below is a snippet of a logwatch from last night. Be sure all DNS
servers are updated if at all possible. The spooks are out in
On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote:
I saw much more than this *from the same address* starting two days ago,
and from several other blocks belonging to the same university starting
last week, to my home router and another server. So far my better
connected servers haven't
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put https://; in
front of www?
I understand this is a huge can of worms, but maybe it's time to change the
default behavior of browsers from http to https...?
I'm sure it's doable in FF with a simple plugin, one
On Thu, 24 Jul 2008 09:51:40 +0200
Robert Kisteleki [EMAIL PROTECTED] wrote:
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put https://;
in front of www?
I understand this is a huge can of worms, but maybe it's time to
change the default behavior of
On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put https://; in
front of www?
I understand this is a huge can of worms, but maybe it's time to change the
default behavior of browsers from http to
On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put https://; in
front of www?
I understand this is a huge can of worms, but maybe it's time to change the
default behavior of browsers from http to
On Thursday 24 July 2008 05:17:59 Paul Ferguson wrote:
Let's hope some very large service providers get their act together
real soon now.
http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html
It isn't going to happen without BIG political pressure, either from users, or
On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco [EMAIL PROTECTED] wrote:
Except this time your reply comes with an additional record
containing the IP for www.gmail.com to the one you want to redirect it
to.
Thought that was the normal technique for cache poisoning. I'm pretty
sure that
On Wed, 23 Jul 2008, Kevin Day wrote:
The new way is slightly more sneaky. You get the victim to try to
resolve an otherwise invalid and uncached hostname like 1.gmail.com,
and try to beat the real response with spoofed replies. Except this time
your reply comes with an additional record
On Thu, 24 Jul 2008 10:06:25 +0100
Simon Waters [EMAIL PROTECTED] wrote:
I checked last night, and noticed TLD servers for .VA and .MUSEUM are
still offering recursion amongst a load of less popular top level
domains.
Indeed just under 10% of the authoritative name servers mentioned in
the
Sure, I can empathize, to a certain extent. But this issue has
been known for 2+ weeks now.
Well we knew about the DNS issues since long time ago (20+yrs perhaps?),
so the issue is not new, just the exploit is more easy to put together and
chances for it to succeed are much higher.
As I
On Thu, 24 Jul 2008, Paul Ferguson wrote:
Let's hope some very large service providers get their act together
real soon now.
There is always a tension between discovery, changing, testing and
finally deployment.
Sure, I can empathize, to a certain extent. But this issue has
been known for
On Thu, 24 Jul 2008 09:10:13 -0500
Jorge Amodio [EMAIL PROTECTED] wrote:
Sure, I can empathize, to a certain extent. But this issue has
been known for 2+ weeks now.
Well we knew about the DNS issues since long time ago (20+yrs
perhaps?), so the issue is not new, just the exploit is
On Thu, 24 Jul 2008, John Kristoff wrote:
On Thu, 24 Jul 2008 10:06:25 +0100
Simon Waters [EMAIL PROTECTED] wrote:
I checked last night, and noticed TLD servers for .VA and .MUSEUM are
still offering recursion amongst a load of less popular top level
domains.
Indeed just under 10% of the
On Thu, 24 Jul 2008, Gadi Evron wrote:
But sticking to the point, TLD servers should (under most circumstances) be
Should NEVER, oops.
On Thu, 24 Jul 2008, Martin Hannigan wrote:
I personally know several folks from within and wayyy from outside the
DNS
world who discovered this very out there and obvious issue and worked
hard
to try and contact the operators. Those that haven't fixed it yet,
likely
won't if all thing
On Thu, 24 Jul 2008 15:50:15 -
Martin Hannigan [EMAIL PROTECTED] wrote:
I don't know that a failure to act immediately is indicative of
ignoring the problem. Not to defend ATT or any other provider, but
it's not as simple as rolling out a patch.
Right. What scares me is all of the
[EMAIL PROTECTED] (Jorge Amodio) writes:
As I mentioned in another message, perhaps its time to get serious about
DNSSEC, where are we on this front ?
still waiting for US-DoC to give ICANN permission to sign the root zone.
--
Paul Vixie
--
This message has been scanned for viruses and
[EMAIL PROTECTED] (Jorge Amodio) writes:
As I mentioned in another message, perhaps its time to get serious about
DNSSEC, where are we on this front ?
Still waiting for US-DoC to give ICANN/IANA permission to sign the root zone.
--
Paul Vixie
--
This message has been scanned for viruses and
Hi,
Not sure if anyone has seen yet, but there is a 2nd
exploit being circulated. I just picked it up on metasploits
SVN trunk
The first was called baliwicked_host, and the
description was :
This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote:
Not sure if anyone has seen yet, but there is a 2nd
exploit being circulated. I just picked it up on metasploits
SVN trunk
I haven't seen that one yet, but I just ran across this:
Tuc at T-B-O-H.NET wrote:
The new one is called baliwicked_domain and its described
as :
This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target
domains nameserver entries in a vulnerable
Neil Suryakant Patel is the nominee for AS for Communications and
Information at DoC. If he's in the loop, even advisory pending ...,
and as a Cheney staffer (intially staff secretary, now as a domestic and
economic policy adviser), that's possible, then adjust expectations
accordingly.
Paul
:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 9:13 AM
To: [EMAIL PROTECTED]
Subject: Re: Exploit for DNS Cache Poisoning - RELEASED
[EMAIL PROTECTED] (Jorge Amodio) writes:
As I mentioned in another message, perhaps its time to get serious
about DNSSEC, where are we on this front
On Thu, Jul 24, 2008 at 3:05 AM, Steven M. Bellovin [EMAIL PROTECTED] wrote:
The round trip issue affects latency, which in turn affects perceived
responsiveness. This is quite definitely the reason why gmail doesn't
always use https (though it, unlike some other web sites, doesn't
refuse to
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
Sorry, I don't follow -- sounds like FUD to me. Care to explain this?
As far as I'm aware, as long as the KSK isn't
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
As far as I'm aware, as long as the KSK isn't compromised,
On Thu, 24 Jul 2008, Steve Bertrand wrote:
Gadi Evron wrote:
On Thu, 24 Jul 2008, Martin Hannigan wrote:
I personally know several folks from within and wayyy from outside the
DNS
world who discovered this very out there and obvious issue and worked
hard
to try and contact the operators.
Tomas L. Byrnes [EMAIL PROTECTED] wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
that sounds like the kind of foot-dragging that could be holding this up.
Perhaps the IETF or DoC should sign the root, that
On Thu, 24 Jul 2008, Jeffrey Ollie wrote:
Interestingly enough, Google just added a feature to GMail to force
secure connections:
http://googlesystem.blogspot.com/2008/07/force-gmail-to-use-secure-connection.html
Jeff
I wish Yahoo and Hotmail even had the ability of *reading* email via
On Thu, Jul 24, 2008 at 10:32 AM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote:
- -- Robert D. Scott [EMAIL PROTECTED] wrote:
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Now also (mirrored) here:
http://www.milw0rm.com/exploits/6122
On Thu, Jul 24, 2008 at 10:32 AM, Tuc at T-B-O-H.NET [EMAIL PROTECTED]
wrote:
- -- Robert D. Scott [EMAIL PROTECTED] wrote:
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Now also (mirrored) here:
On Thu, Jul 24, 2008 at 11:24 PM, Hank Nussbacher [EMAIL PROTECTED] wrote:
I wish Yahoo and Hotmail even had the ability of *reading* email via https:
http://www.interall.co.il/hotmail-yahoo-https.html
Hah! It was only a year ago that Yahoo even added SSL capabilities
for login. Six months
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Robert D. Scott [EMAIL PROTECTED]
Senior Network Engineer 352-273-0113 Phone
CNS - Network Services 352-392-2061 CNS Receptionist
University of Florida 352-392-9440 FAX
PROTECTED]
Subject: Re: Exploit for DNS Cache Poisoning - RELEASED
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Maybe I'm missing it, but this looks like a fairly standard DNS exploit.
Keep asking questions and sending fake answers until one gets lucky
Joe Greco wrote:
So, I have to assume that I'm missing some unusual aspect to this attack.
I guess I'm getting older, and that's not too shocking. Anybody see it?
AFAIK, the main novelty is the ease with which bogus NS records can be
inserted. It may be hard to get a specific A record
Hi,
On Jul 23, 2008, at 3:51 PM, Robert D. Scott wrote:
Actually you are not missing anything. It is a brute force attack.
I haven't looked at the exploit code, but the vulnerability Kaminsky
found is a bit more than a brute force attack. As has been pointed out
in various venues, it
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
For anyone looking to use it, you MUST update the frameworks
libraries. Some of the code only came out ~5 hours ago that
it needs.
Tuc/TBOH
On Jul 23, 2008, at 5:30 PM, Joe Greco wrote:
Maybe I'm missing it, but this looks like a fairly standard DNS
exploit.
Keep asking questions and sending fake answers until one gets lucky.
It certainly matches closely with my memory of discussions of the
weaknesses in the DNS protocol from
On 23 Jul 2008, at 18:30, Joe Greco wrote:
So, I have to assume that I'm missing some unusual aspect to this
attack.
I guess I'm getting older, and that's not too shocking. Anybody see
it?
Perhaps what you're missing can be found in the punchline to the
transient post on the Matasano
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Joe Abley [EMAIL PROTECTED] wrote:
It's a good job users are not conditioned to click OK when
told the certificate for this site is invalid.
I appreciate your sense of humor. ;-)
- - ferg
-BEGIN PGP SIGNATURE-
Version: PGP Desktop
On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:
Luckily we have the SSL/CA architecture in place to protect any web
page served over SSL. It's a good job users are not conditioned to
click OK when told the certificate for this site is invalid.
'course, as well as relying on users not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Robert D. Scott [EMAIL PROTECTED] wrote:
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Now also (mirrored) here:
http://www.milw0rm.com/exploits/6122
...and probably a slew of other places, too. ;-)
-
- -- Robert D. Scott [EMAIL PROTECTED] wrote:
Now, there is an exploit for it.
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Now also (mirrored) here:
http://www.milw0rm.com/exploits/6122
...and probably a slew of other places, too. ;-)
The changes the put into
On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote:
On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:
Luckily we have the SSL/CA architecture in place to protect any web
page served over SSL. It's a good job users are not conditioned to
click OK when told the certificate for this site is
On Wed, Jul 23, 2008 at 11:01:11PM -0400, Patrick W. Gilmore wrote:
https://www.paypal.com/
That did not even occur to me.
Anyone have a foolproof way to get grandma to always put https://; in
front of www?
Seriously, I was explaining the problem to someone saying never click
'OK'
Patrick W. Gilmore wrote:
Anyone have a foolproof way to get grandma to always put https://; in
front of www?
Some tests from my home Comcast connection tonight showed less than
desirable results from their resolvers.
The first thing I did was to double check that the bookmarks I use when
Skywing wrote:
Bookmarks or favorites or whatever your browser of choice wishes to call them,
for the https URLs. That, or remember to type in the https:// prefix.
- S
Which works great until you run into something like Washington Mutual
(of which you have no doubt heard)...
50 matches
Mail list logo