North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

  • From: Paul Vixie
  • Date: Thu Jul 24 01:55:35 2008

this is for whoever said "it's just a brute force attack" and/or "it's the
same attack that's been described before".  maybe it goes double if that
person is also the one who said "my knowledge in this area is out of date".

grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr.

re:


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--- Begin Message ---
> >The difference is its use of additional RR records. The request is for 
> >some arbitrary sub domain like 12345.google.com, but your spoofed 
> >response also includes the record for www.google.com
> 
> Which is also decades old and well known.  So at best, it's a 'new' attack
> that is a combination of 2 well-known/documented ones. Maybe I am somewhat
> disappointed because I expected a second coming/something truly novel
> (please note that I'm not discounting the seriousness of the issue, just
> commenting on its apparent novelty)

downplay this all you want, we can infect a name server in 11 seconds now,
which was never true before.  i've been tracking this area since 1995.  don't
try to tell me, or anybody, that dan's work isn't absolutely groundbreaking.

i am sick and bloody tired of hearing from the people who aren't impressed.
every time some blogger says "this isn't new", another five universities
and ten fortune 500 companies and three ISP's all decide not to patch.
that means we'll have to wait for them to be actively exploited before they
will understand the nature of the emergency.

perhaps dan's defcon talk will open some remaining eyes among those glued
shut by the pride and prejudice of the minds behind them.  i am stunned,
absolutely stunned, that there was a ready-to-go blog posting sitting in
clear text on a network connected machine, written by tom ptacek who had
whined about how the hacker community needed to be in the loop, waiting for
the "publish" button to be hit "accidentally" by his wife.  is this how the
community rewards dan for trying to buy us all some time to protect the
infrastructure?  is this how the community plans to incentivize slow and
careful disclosure of the next big flaw?

we've exited another era in the disclosure debate, and not even dan knew it.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
dns-operations mailing list
[email protected]
http://lists.oarci.net/mailman/listinfo/dns-operations

--- End Message ---