Tuesday, July 22, 2008

A few short notes on what's being reported:

It seems that after my previous speculation, a few unforeseen things happened:
  • Apparently, my post, while partially incorrect, was somewhere close to the truth
  • A third party accidentally posted full details on the issue, which corrected my mistakes. Shortly after posting these details, the post was pulled down again, but was archived by search engines (and those that had subscribed to the blog where it was posted).
There have been a number of slightly incorrect press reports which I'd like to clarify:
  • I posted a partially incorrect, but close, guess on what the DNS issue might be. That is not the same as "publishing a reliable way to poison DNS". It is guessing how it might be done.
  • I did not pull down any posts from my blog.
I do not think anything I have posted takes away from Dan's superb work on this issue. Some people are of the opinion that I "stole his thunder" for his Blackhat talk, and I disagree strongly: Dan's talk is a full hour on DNS, and all the interesting things within DNS. My post was a vague guess.

Imagine: A world-renowned particle physics expert decides to give a one-hour lecture in your hometown, and on your way there some guy on the street tells you "I think he will talk about (...30 seconds of physics here...)". Would you decide that listening to the physics expert talk is no longer necessary because the guy on the street told you everything ?

Also: Guessing how something is done knowing it can be done is easy. Dan did the hard part: Coming up with a clever attack in a protocol that is relied on everywhere. My guess doesn't come close to comparing to what Dan has done: He spotted something that everyone else missed beforehand. He also handled the entire situation with a lot of endurance, patience, and determination. We disagree on whether people have a right (or even duty) to discuss what the issue might be, but that doesn't mean that I do not have the greatest respect for Dan. And his talk will contain much more of interest than my silly 30 lines.

I think (German news site) Heise summed it up well:
"In fact, all of Dullien's hunches had already been sketched out the day that US-CERT published a vulnerability note on the security hole."

I guessed. I was close, perhabs closer than others, but no cigar.

4 comments:

kernel said...

I agree with heise regarding the cert publication.
I think that instant full disclosure is always a better way, it puts pressure on the right people, so the window of vulnerability is much smaller.
Freedom of Information.

Unknown said...

I think I have something, thanks to you. You can find it on my blob (fr only, but you read fr ;).

Basicaly, it's what Thomas Ptacek
explained, but instead of sending an Additional record at the end with the spoofed answer, I pass an Authority RR pointing domain NS to an arbitrary server.

Seems to work.

Sebastián Puig said...

Congratulations from Spain. You write well and explain things better. Directly. Simply.

Michael Dundas said...

If you stole his thunder then that is probably good ;). Personally, the biggest problem I have with this whole DNS vulnerability is the lack of full-disclosure once the patch was released. There is the excuse that we need time for critical infrastructure to patch, but I think that is more of an excuse. They want a show with media etc. Seeing this with political figures, software vendors is bad enough, but I didn't expect to see it from prominent security researchers.