[BBLISA] Re: Dan Kaminsky DNS scam
Dean Anderson
dean at av8.com
Thu Mar 12 13:12:05 EDT 2009
The claim of vulnerability was a scam. All aspects were previously
known. Kaminsky didn't discover anything.
====================== Excerpt from my comments to the NTIA on DNSSEC
http://www.ntia.doc.gov/dns/comments/comment027.pdf
Kaminsky-Vixie "Media Hack"
Much attention has been given to DNSSEC after the "Kaminsky Attack" was
described. The December 2008 issue of MIT.s Technology Review reports
the "Media Hack" aspect of the event. The truth of the matter as,
reported by Technology Review on pg. 64 is that "Kaminsky had not really
discovered a new attack". Dr. Bernstein discovered this attack many
years ago, and fixed the DNSCache server software in 1999. The PowerDNS
caching server was fixed in 2006. In 2006, NLnet (Kolkman et al) noted
the spoofing of NS Records. A design report for the Unbound DNS Server
software, developed by Nominet, Verisign, NLnet Labs (Kolkman et al),
EP.NET (Bill Manning)) in which the authors describe that "spoofed NS
additionals confuse iterator"4. This paper was discussed at IETF 67, in
November 2006.
Kaminsky is also connected to other questionable activity. In January
2006, Kaminsky announced he had found 580,000 open recursors at a hacker
conference called Schmoocon. Its unclear how all this scanning was done
without notice or complaint. Coincidentally, the first DNS reflection
attack is reported to have taken place in October 2005 in a paper by
Professor Vaughn of Baylor University and Gadi Evron5 These events are
the subject of a document called "draft-ietf-dnsop-reflectors-are-evil",
which seeks to close all open recursive DNS Servers. After news of the
"Kaminsky Attack" leaked out, Kaminsky wrote on Twitter:
"DNS bug is public. You need to patch, or switch to OpenDNS,
RIGHT NOW."
OpenDNS is a company that offers Open Recursor service, using open
recursors to provided DNS services that deny DNS to phishing sites, and
enable the collection of data on user browsing preferences, which is
presumably mined for marketing research and other statistics. There are
connections between Vixie et al (the BIND Cartel) and OpenDNS founder
David Ulevitch and OpenDNS employee Bill Fumerola.
Every part of Kaminsky's "attack" was well-known to most DNS experts for
a long time, including Paul Vixie. Vixie describes his conversation with
Kaminsky very dramatically as "taking 20 seconds to explain the
problem." Vixie, having debated the issue with Bernstein, should have
realized in that 20 seconds that the problem Kaminsky described was
well-known. Instead, with great drama Vixie says:
"Dan, I am speaking to you over an over an unsecure cell phone.
Please do not ever say to anyone what you just said to me over an
unsecure cell phone again"
But the well-known bug just doesn.t warrant that sort of drama.
Dan Kaminsky and Kevin Day subsequently asserted that there was a
problem in DNSCache software. Their proposed fixes, discussed offlist
with Dean Anderson, would have introduced a combination of two Birthday
attacks into DNSCache, leaving it even MORE vulnerable to spoofing
attacks.6 Nothing more has been reported by either Kevin Day or Dan
Kaminsky regarding bugs in DNSCache. No vulnerability was ever
identified in DNSCache. The code patching BIND has not been analyzed for
the presence of the combined Birthday attacks.
The Technology Review discusses how a great deal of "urgency" was
artfully created. A reasonable review of the facts shows that the alarm
is completely without justification. As a result of the .urgency., many
people deployed software changes that weren.t properly reviewed. This
massive software update, performed on blind trust, is unprecedented in
the history of the Internet. The urgency was unjustified, and one must
question whether deployment of DNSSEC as a knee-jerk reaction to a
artfully created but unjustified perception could ever be wise. Instead,
I think the connections between Kaminsky and the BIND Cartel DNSSEC
promoters ought to be investigated to see if there was an effort to
trick the government IANA function into adopting DNSSEC under artfully
created, but false "urgency".
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
More information about the bblisa
mailing list