Read, dont spam, if not, press the red button at the top right hand corner of the comp.

Welcome message here!

On Tuesday, 8 Jul 2008, all makers on connecting users to the internet collectively released patches for a flaw in Domain Name Servers (DNS). The bug was discovered by a security researcher, Dan Kaminsky, few months ago.

He rounded up all the BIG names to conference room immediately to race with all the potential attackers. He will only reveal the details on the coming Black Hat Sercuirt Conference in Las Vegas on 7 Aug 2008 to allow adminstartors around the world one month to patch their DNS.

Below is the post he put up at his web site, after the offcial realease of the patches.
----------------------------------------------------------------------------------------
"An Astonishing Collaboration

Wow. It’s out. It’s finally, finally out.

Sweet!

So there’s a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes…somewhere. Not where it was supposed to. You may have heard about this — the Wall Street Journal, the BBC, and some particularly important people are reporting on what’s been going on. Specifically:

1) It’s a bug in many platforms

2) It’s the exact same bug in many platforms (design bugs, they are a pain)

3) After an enormous and secret effort, we’ve got fixes for all major platforms, all out on the same day.

4) This has not happened before. Everything is genuinely under control.

I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.

It was a good day.

CERT has details up, and there’s a full-on interview between myself and Rich Mogull up on Securosis. For the non-geeks in the audience, you might want to tune out here, but this is my personal blog and I do have some stuff to mention to the crew.

There’s something very important about what we accomplished here.

We. Because there’s absolutely no way I could have pulled this off by myself.

Paul Vixie is an institution. Having long maintained the Internet’s most popular DNS server, Paul simply knows everybody. Paul was absolutely instrumental in pulling together the engineers we needed to solve this problem. We needed Florian Weimer there, all the way from Europe. We needed David Dagon, and Jinmei Tatuya, and Wouter Wijngaards. We needed Microsoft, Cisco, Nominum, Neustar, and OpenDNS.

And we really needed CERT.

It was an interesting discussion, with lots of disagreement, but ever-growing consensus. After evaluating several options, one approach was clear — and, I must admit, somewhat embarassing to Paul.

DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.

There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that’s no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got “lucky” here — he ended up defending himself against an attack he almost certainly never encountered.

Such is the mark of excellent design. Excellent design protects you against things you don’t have any information about. And so we are deploying this excellent design to provide no information.

To translate the fix strategy into a more familiar domain, imagine large chunks of Windows RPC went from Anonymous to Authenticated User only, or even all the way to Admin Only. Or wait, just remember Windows XPSP2 This is a sledgehammer, by design. It cuts off attack surface, without necessarily saying why. Astonishingly subtle bugs can be easily hidden, or even rendered irrelevant, by a suitably blunt fix.

Of course, it remains obvious that something new is up, and that something will be found eventually. But there’s a lot of buggy systems out there, vulnerable not just to new bugs but bugs that have been known for years. If all this effort ever accomplished was sweeping old and crusty BIND8 off the Internet, if we could finally fully eliminate Joe Stewart’s (edit: Originally Vagner Sacramento’s, thanks Joe!) Birthday Attacks from 2002, if we started doing something about Amit Klein’s Transaction ID Randomness finds (even the deeply underrated client vulns) from last year, and yes, if the static port assignments DJB warned us about ages ago were finally shut down — then this would still be a huge win.

There are reasons why the new issue is particularly severe, but I think reasonable people can agree that anything that could scrub even the old bugs would be a boon to the security of the Internet. And so, I ask the open research community…assume I found nothing! Assume this is nothing but a stunt, to finally get people to take Joe and Amit and DJB seriously, and to give network scanners a crystal clear fingerprint of what a trustable recursive server looks like.

Joe and Amit and especially DJB have done some incredible work. I’d look terrible at the end of it, but their bugs would finally get fixed, and stay fixed. As for me, I dunno. Go back to graphics Mmmm…SIGGRAPH…

For those of you who won’t make that assumption, I have a request. It is very unusual, and maybe unreasonable. But I have to ask.

I want you to explore DNS. I want you to try to build off the same bugs I did to figure out what could possibly go wrong. Maybe I missed something — I want you to help me find out if I did, so we can deal with it now instead of later. I do want all this. But I also want my family to be able to use the Internet in peace. I’m not asking for forever. I am asking about thirty days. I’ve done everything in my power to get the patches available, no matter the platform. But the code doesn’t (always) install itself. While I’m out there, trying to get all these bugs scrubbed — old and new — please, keep the speculation off the @public forums and IRC channels. We’re a curious lot, and we want to know how things break. But the public needs at least a chance to deploy this fix, and from a blatantly selfish perspective, I’d kind of like my thunder not to be completely stolen in Vegas

Now, if you do figure it out, and tell me privately, you’re coming on stage with me at Defcon. So I can at least offer that.
" - adapted from Dan Kerminsky‘s web site

0 Comments:

Post a Comment

The heat is on again!

Yes, I am running for my school again this year. This is the 3rd time I have been participating since I joined 9 years ago. My team came in 3rd the first time. Last year, we were 5th.

Finally, I made the purchase - a new pair of Mizuno running shoes, two weeks ago for this event. My previous pair of Brooks was bought in 1988, only S$40. Nowadays, many say their sport shoes hardly last more than 2 years. My engineering mind worked out the calculation instinctively and swiftly concluded the worthiness of all the economical sport shoes I had owned.

Turned out: a pair of no brand sports shoes that I bought in China back in 1991 (before the economic boom) for merely S$16, which had survived me in climbing 3 mountains, came in top of my most worthiness chart!

0 Comments:

Post a Comment

It is right at the tip of my tongue. Refuses to go away.

The stubborn canker sore appeared 13 days ago. Of course, I had it before many times. They never last this long. I applied all the medicine (including salt) I could get and rinsed my mouth with salt water solution.

On the 11th day (two days ago), it still showed no sign of easing and I decided to go to the doc. I left the clinic with 5-day antibiotics, a different kind of oral cream, and loads of worry

When I arrived back at the office after the clinic visit, I surfed the web for medical resources. The result is consistent with my worry.

"One of the symptoms of tongue cancer - canker sore that does not heal in 3 weeks"

There is a long list of symptoms associating with tongue cancer. When everything is so uncertain, my natural response took over and started looking for symptoms that correlate to mine. Probably this is what the saying of "the more you know, the more scared you are".

Yesterday, the 12th day, after 4 takes of antibiotics, still no improvement. Worry intensified. I told myself, 3 weeks or 21 days is the deadline. I still have 9 days of hope.

I shared with my children on the possibilities. They are angels. Their responses, again, made me feel how blessed I am!

Suddenly, I realised what worries me most is not the sore, whatever terminating illness, but my children. To be exact, I discovered the greatest pain for a me would be not able to be there for them when my children are in need!

"The greatest plight of a mother is not able to help knowing her child is suffering."

And I shared this discovery with some of my students in the Program Design class.

Finally, today morning I woke up and overjoyed that the pain has greatly reduced though the canker sore still sitting there with the usual white crater.

I rushed to the kids' room and broke the good news to them. They were still dressing up for schools when we three hugged tightly together!

0 Comments:

Post a Comment

I am the ever lively critter living in the burrow ^^

November 2007

January 2008

March 2008

April 2008

May 2008

June 2008

July 2008

August 2008

November 2008

February 2009

March 2009

November 2010

erzascarlet.

I am in my 10th year of teaching and yet still not...

Sharing session

Treasury Discovery

Back Again

Triumph again

Garden Fest 2008

Cool Dan Kaminsky

Mecury rising

Canker Sore

Link

Link

Link

Link

Link

Link