[EMAIL PROTECTED] (Randy Bush) writes:
i hope all my competitors don't patch.
i think that that statement is false.
the resulting insecurity of that endpoint population will be a tsunami that
will swamp people far away, it'll just be worse for those at the epicenter
(meaning: who don't patch.)
what i do not understand is why people think screaming to the choir will
make any significant difference?
Think about it. Would you rather nobody make a big deal about it and have
it go unpatched lots of places, and have nobody understand what a monumental
train wreck this all is, or would it
On Sat, Jul 26, 2008 at 03:05:18PM -0500, Joe Greco wrote:
what i do not understand is why people think screaming to the choir will
make any significant difference?
And Paul's absolutely correct, this is not something where we can afford to
let that happen.
Paul is correct if
On Sat, Jul 26, 2008 at 05:47:54PM -0400, Sean Donelan wrote:
On Sat, 26 Jul 2008, [EMAIL PROTECTED] wrote:
there you go. the massive effort to patch would likley have
better been spent to actually -sign- the stupid zones and
work out key distribution. but no... running around
On 25/07/2008, at 6:45 AM, Scott Berkman wrote:
Is it just me or is the test page below down now?
Or maybe some poisoned the NS record for dns-oarc.net and sent it to
nowhere to stop testing! (J/K since I can get to the rest of the page
fine).
Hmm, cute.
So uh, is this patch available for
So is this patch a true fix or just a temporary fix until further
work can be done on the problem?
I guess you need to read some of the related
papers/presentations/advisories/etc
related to a subject that has been under discussion for more 20+ years.
Answering your questions, as said
On Thu, Jul 24, 2008 at 08:37:55PM -0400, [EMAIL PROTECTED] wrote:
On Thu, 24 Jul 2008 17:31:01 EDT, Jay R. Ashworth said:
But it seems to me that Paul, you are here espousing the opinion that
there's no business value in people being able to trust that the domain
name they heard on a TV ad
On Fri, Jul 25, 2008 at 07:31:30PM +1200, Nathan Ward wrote:
So uh, is this patch available for download over HTTPS with a key that
was generated by the vendor and signed by well trusted root CAs on a
boxes with OpenSSL versions not released by Debian?
PATCH NOW PATCH NOW seems like a
Regarding Bubba, he won't likely move until there is a real problem,
this makes it on CNN, and even then, he may not understand what is going
on. That win2k server in the corner never got updated. But when he
realizes
his business is at risk due to the buggy software, our pal Bubba
downplay this all you want, we can infect a name server in 11 seconds now,
which was never true before. i've been tracking this area since 1995. don't
try to tell me, or anybody, that dan's work isn't absolutely groundbreaking.
i am sick and bloody tired of hearing from the people who
i am sick and bloody tired of hearing from the people who aren't impressed.
Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
groundbreaking, except that threats discussed long ago have become more
practical due to the growth of network and processing speeds, which was
So, look at other options:
* Widen the query space by using multiple IP addresses as
source. This,
of course, has all the problems with NAT gw's that the port solution
did, except worse.
This makes using your ISP's properly designed resolver even more
attractive,
i am sick and bloody tired of hearing from the people who aren't
impressed.
Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
groundbreaking, except that threats discussed long ago have become more
practical due to the growth of network and processing speeds,
On Jul 24, 2008, at 9:22 AM, Paul Vixie wrote:
11 seconds.
and att refuses to patch.
and all iphones use those name servers.
This caught my attention, and so I tossed the ATT wireless card in my
laptop and ran the test:
[rogue:~] steve% dig +short porttest.dns-oarc.net TXT
So, look at other options:
* Widen the query space by using multiple IP addresses as
source. This,
of course, has all the problems with NAT gw's that the port solution
did, except worse.
This makes using your ISP's properly designed resolver even more
attractive, rather than
On 24 Jul 2008, at 10:56, Joe Greco wrote:
MY move? Fine. You asked for it. Had I your clout, I would have
used
this opportunity to convince all these new agencies that the
security of
the Internet was at risk, and that getting past the who holds the
keys
for the root zone should be
On Thu, 24 Jul 2008, Joe Greco wrote:
downplay this all you want, we can infect a name server in 11 seconds now,
which was never true before. i've been tracking this area since 1995. don't
try to tell me, or anybody, that dan's work isn't absolutely groundbreaking.
i am sick and bloody tired
On Thu, 24 Jul 2008, Paul Vixie wrote:
11 seconds.
and att refuses to patch.
and all iphones use those name servers.
Has att told you they are refusing to patch? Or are you just spreading
FUD about att and don't actually have any information about their plans?
On Thu, 2008-07-24 at 11:21 -0400, Sean Donelan wrote:
On Thu, 24 Jul 2008, Paul Vixie wrote:
11 seconds.
and att refuses to patch.
and all iphones use those name servers.
Has att told you they are refusing to patch? Or are you just spreading
FUD about att and don't actually have
On 24 Jul 2008, at 10:56, Joe Greco wrote:
MY move? Fine. You asked for it. Had I your clout, I would have
used
this opportunity to convince all these new agencies that the
security of
the Internet was at risk, and that getting past the who holds the
keys
for the root
On Thu, Jul 24, 2008 at 9:35 AM, Joe Greco [EMAIL PROTECTED] wrote:
Well, Paul, I'm not *too* impressed, and so far, I'm not seeing what is
groundbreaking, except that threats discussed long ago have become more
practical due to the growth of network and processing speeds, which was
a hazard
11 seconds.
and att refuses to patch.
and all iphones use those name servers.
Has att told you they are refusing to patch? Or are you just spreading
FUD about att and don't actually have any information about their plans?
I believe it is a hypothetical situation being
On 24 Jul 2008, at 11:40, Joe Greco wrote:
Compared with the problem of global DNSSEC deployment, getting
everybody in the world to patch their resolvers looks easy.
Of course. That's why I said that deploying this patch was
something that
could be done *too*.
OK, good. Sorry if I
Jorge Amodio wrote:
/etc/hosts rulez !!! :-)
Wonder if SRI wstill has the files.
--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actioInfallibility, and the
/etc/hosts rulez !!! :-)
Wonder if SRI wstill has the files.
The SRI-NIC is long gone, I still remember the IP address
of the ftp server 10.0.0.51 :-)
There are several historic copies all over the net.
Jorge
On Thu, 24 Jul 2008, Paul Vixie wrote:
ATT Response: US-CERT DNS Security Alert- announced July 8, 2008
2008. The latest patch for alert TA08-190B is currently being tested and
will be deployed in the network as soon as its quality has been assured.
That doesn't sound like refuses to patch.
Jorge Amodio wrote:
/etc/hosts rulez !!! :-)
Wonder if SRI wstill has the files.
Using the methods in RFC-952 and RFC-953 I wasn't able
to get them. I can't find if there is an updated RFC/name to use.
Tuc/TBOH ;)
Refuses to patch sounds likes FUD.
go ask 'em, and let us all know what they say.
kaminsky tried to get everybody a month, but because of ptacek's sloppiness
it ended up being 13 days. if any dns engineer at any internet carrier goes
home to sleep or see their families before they patch, then
On Thu, Jul 24, 2008 at 09:56:32AM -0500, Joe Greco wrote:
MY move? Fine. You asked for it. Had I your clout, I would have used
this opportunity to convince all these new agencies that the security of
the Internet was at risk, and that getting past the who holds the keys
for the root zone
He,he,nice comment. The issue is that with todays html crap and embedded
images on mails click is no longer required, just include a malicious tag
forcing your resolver to go to bad boy's NS to resolve the URL and you are
up in biz.
Can't stop laughing ... its a rainy boring day in south
On Thu, 24 Jul 2008, Paul Vixie wrote:
Refuses to patch sounds likes FUD.
go ask 'em, and let us all know what they say.
I believe att has already said they are testing the patch and will deploy
it as soon as their testing is completed. Other than you, I have not
heard anyone in att say
, July 24, 2008 2:40 PM
To: Steve Tornio
Cc: [EMAIL PROTECTED]
Subject: Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally
leaked?
Steve Tornio wrote:
On Jul 24, 2008, at 12:17 PM, Duane Wessels wrote:
xpara.com tests to lock up my iPhone, or I would use that checker to
verify
On Thu, 24 Jul 2008, Paul Vixie wrote:
I believe att has already said they are testing the patch and will deploy
it as soon as their testing is completed. Other than you, I have not
heard anyone in att say they are refusing to patch.
i read att write that this was a rehash of a previously
it to
nowhere to stop testing! (J/K since I can get to the rest of the page
fine).
-Scott
-Original Message-
From: Ken A [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2008 2:40 PM
To: Steve Tornio
Cc: [EMAIL PROTECTED]
Subject: Re: Paul Vixie: Re: [dns-operations] DNS
Here's some older ones:
http://pdp-10.trailing-edge.com/cgi-bin/searchbyname?name=hosts.txt
Prior to departing SRI last year I spent a bunch of time trying to find some of
the old SRI-NIC records. It appears that they were all cleaned out once the
contract was closed and the Internet was
On Jul 24, 2008, at 10:17 AM, Duane Wessels wrote:
Give this one a try:
http://entropy.dns-oarc.net/test/
For one iPhone it reported 209.183.54.151 as having GREAT source port
randomness and GREAT transaction ID randomness. However, despite the
test reporting GREAT, the source ports
For one iPhone it reported 209.183.54.151 as having GREAT source port
randomness and GREAT transaction ID randomness. However, despite the
test reporting GREAT, the source ports were _definitely_ non-random.
http://5d93b9656563a44e4c900ff9.et.dns-oarc.net/
Proving random is not easy.
On Thu, Jul 24, 2008 at 1:14 PM, Paul Vixie [EMAIL PROTECTED] wrote:
in spite of that caution i am telling you all, patch, and patch now. if you
have firewall or NAT configs that prevent it, then redo your topology -- NOW.
and make sure your NAT isn't derandomizing your port numbers on the way
On Thu, Jul 24, 2008 at 1:14 PM, Paul Vixie [EMAIL PROTECTED] wrote:
and if you have time after that, write a letter to your congressman about the
importance of DNSSEC, which sucks green weenies, and is a decade late, and
which has no business model, but which the internet absolutely dearly
So is this patch a true fix or just a temporary fix until further
work can be done on the problem?
the only true fix is DNSSEC. meanwhile we'll do UDP port randomization,
plus we'll randomize the 0x20 bits in QNAMEs, plus we'll all do what
nominum does and retry with TCP if there's a QID
this is for whoever said it's just a brute force attack and/or it's the
same attack that's been described before. maybe it goes double if that
person is also the one who said my knowledge in this area is out of date.
g.
re:
--
This message has been scanned for
41 matches
Mail list logo
