Fwd: kyxspam: isc loses mind
Sorry guys, I don't normally re-post/forward things between mailing lists, but I think this is a reasonable rant, that everyone should read. I apologise to those people who have already received this from BugTraq. (Everyone on this list SHOULD be on BugTraq, but I know that is not the case) This is related to the previous thread re DJBDNS and BIND. (I still maintain that people should take a look at http://www.dents.org and help out with the coding if they have the ability. As soon as we see a nice stable, GPL'd alternative to BIND, the better) Cheers Nix
Date: Thu, 1 Feb 2001 05:03:14 -0800 From: Dragos Ruiu
Subject: kyxspam: isc loses mind To: BUGTRAQ@SECURITYFOCUS.COM The recent vulnerabilities in BIND must have overlooked one flaw amongst that extensive list that makes every version deployed on the planet vulnerable, the flaw that makes the ISC bind oversight committee crash, coredump and lose its mind with this new, for-pay, "leet" bind vulnerability list. Never mind the politics surrounding the issue that in part that bind development was paid for with public funds - or that they link to GPL libraries that might technically GPL it. This bind $cabal$ idea is just broken as long as none of us have any choice but to run bind if we want to use the internet.
Considering that the only other credible alternative to bind that I've found, djb-dns, has a ridiculously restrictive license that will essentially bar it from _ever_ being distributed by others, that leaves the entire internet in the unenviable position of relying on a dubious piece of software, managed in a dubious fashion, as a single monoculture point of failure (there is NO alternative!). This is a critical issue that should be of concern to anyone that relies on the Internet for _anything_.
Addressing assignment, the BGP routing table, and DNS are the glue that holds the Internet together... hell, they ARE the Internet. And to have the entire Internet running on one (hideously twisted and ugly to boot) piece of code, waiting to blow up, like the mother of all single points of failure, is ridiculous. The latest batch of vulnerabilities should be example enough that it _will_ blow up. I'm morbidly almost wanting someone to write the killer DNS worm and take down the _entire_ Internet in one fell swoop just to prove the point. (Or waiting for the first script kiddy that DoSses 13 servers and locks up every computer on the planet...)
The world desperately needs one or more decent alternatives (several would be better, but at this point I would be happy with even one, credible, widely deployed, alternative) just to remove this single point of failure.
As far as for-pay vulnerability lists for that single point of failure.... Hmmm... do you mean that all it will cost me is a few bucks spent on a cabal membership and I can have a big head start on exploiting any new DNS bug and thereby facilitating 0wn1ng every host on internet before anyone has any chance to fix things or even know they're vulnerable(so that they can take _some_ sort of precaution if possible)? Cool, buy the entire internet all for one low, low, price.... where do I sign up? Oh that's right, I can't. I guess I just have to be content with "bind-members" owning all my machines... :-( BTW As an aside I think that if such a group ever actually forms, we'll likely see a backlash response of one of the most systemic, wide-spread, attacks against the whole DNS system ever seen, as they elevate themselves to the juiciest single hacker target in human history...
Sorry for the strong words, but the ISC is fucked up, apparently. But I should have guessed that when I first (tried to) read the later versions of bind source (with apologies to Bill Norton the original project manager for that development). I just had to be slapped in the face with it again, repeatedly, to wake up to this harsh reality. Someone, please, tell me there is an another alternative - because with the direction it's headed now, the Internet based on bind isn't looking like it's going to be a very good, reliable, or secure, network.
regrets, --dr
To: bind-announce@isc.org Subject: PRE-ANNOUNCEMENT: BIND-Members Forum Date: Wed, 31 Jan 2001 09:36:02 -0800 From: Paul A Vixie
X-Approved-By: Ruth.Anne.Ladue@nominum.com X-original-sender: Paul_Vixie@ISC.Org X-List-ID: X-DCC-MAPS-Metrics: isrv3.isc.org 668; IP=0/633557 env_From=0/3494 From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453 Body=0/3451 Fuz1=0/3451 ISC has historically depended upon the "bind-workers" mailing list, and CERT advisories, to notify vendors of potential or actual security flaws in its BIND package. Recent events have very clearly shown that there is a need for a fee-based membership forum consisting only of:
1. ISC itself 2. Vendors who include BIND in their products 3. Root and TLD name server operators 4. Other qualified parties (at ISC's discretion)
Requirements of bind-members will be:
1. Not-for-profit members can have their fees waived 2. Use of PGP (or possibly S/MIME) will be mandatory 3. Members will receive information security training 4. Members will sign strong nondisclosure agreements
Features and benefits of "bind-members" status will include:
1. Private access to the CVS pool where bind4, bind8 and bind9 live 2. Reception of early warnings of security or other important flaws 3. Periodic in-person meetings, probably at IETF's conference sites 4. Participation on the bind-members mailing list
If you are a BIND vendor, root or TLD server operator, or other interested party, I urge you to seek management approval for entry into this forum, and then either contact, or have a responsible party contact, isc-info@isc.org.
Paul Vixie Chairman ISC
-- Dragos Ruiu
dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc http://cansecwest.com CanSecWest/core01: March 28-30, Vancouver B.C. ------------^ Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS, Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle, RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD, K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake, Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet Reconaissance, Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo, Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics, Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux
--- Nix - nix@susesecurity.com http://www.susesecurity.com
participants (1)
-
Nix