BIND Members forum (was: tsig exploit)

Terje Bless link at tss.no
Thu Feb 8 19:57:47 UTC 2001


[ Damn! I'd promised myself I wouldn't let myself get dragged into ]
[ this. Apparently I'm unable to keep my big mouth shut if my life ]
[ depended on it. :-(                                              ]

On 08.02.01 at 13:19, Claude Marinier <claude.marinier at dreo.dnd.ca> wrote:

>What is the difference between tell everyone as soon as possible and tell
>everyone after there is a fix?

|--|---|--|
A  B   C  D

A - Hole discovered.
B - Hole patched on root servers.
C - Permanent fix ready from vendors and info goes out from CERT.
D - The majority of Internet sites take action on hole.

>From A-C only ISC, BIND-Members, and the Crackers have the info.

I have no clue that the git I pissed off on IRC today can nuke me into
oblivion because he hangs on #K3Wl and got a tsig exploit from a friend
with a stupid "nick". The ISC position ATM is that since they _today_ give
the info to CERT where it reads "BIND-Members" above, it's much better to
_also_ give the info to BIND-Members tomorrow. While possibly quite true,
it's a situation of "two wrongs make a right" IMO. It's sticking your head
in a hole and pretending that what you can't see doesn't exist.

Don't get me wrong, I believe the guys over at ISC will do their utmost to
asess the situation and do the very best they can for everyone's benefit. I
believe this is done with the best intentions and that the ISC and at least
a solid majority of those who end up on BIND-Members will try their
damndest to make it work; even for us insignificant peons.

But I disagree _strongly_ that hiding a vulerability will do anyone any
good. IOW, I think they are wrong in their asessment of this one specific
issue. I think they have _been_ wrong in only telling CERT until a fix was
available. And I think they are _exacerbating_ their mistake in the
creation of this BIND-Members forum. It's not a plot to take over the world
(that's Linus' department) and it's not a move to give over control to the
Faceless Corporations. It's not even a significant change from the Status
Quo!


I just think it's propogating a bad idea and a better course of action
would be to correct the mistakes of the past instead of patching them up
for the future. Not the least reason for which is that this move will
legitimize the practice of limiting distribution of security info, giving a
false sense of security and making this malpractice harder to stop.

Not that it _can't_ work reasonably well -- and better then the current
system -- but I don't think it _will_ work. If no disaster comes from this
it will be out of pure luck and not because BIND-Members prevented it.


>What do you (as a user) gain from early disclosure?

I can exercise due dilligence and shut down servers, pull them off the net,
harden my internal boxes, watch my BIND boxes more closely, set up
additional honeypots and decoys, plan emergency solutions, call in extra
people, or even, god forbid, track down and patch the bloody hole myself!

By hiding the flaw you somewhat limit the crackers access to it, but you
leave me completely in the dark and exposed to any crackers that _do_ get
their hands on it.


>As a developer, you gain from early disclosure and I read that there is
>provision for that in the proposed BIND Members forum (even waived fees in
>some cases).

Uh-hu? You think _I'm_ getting an invite from the ISC?

This is why I dislike the BIND-Members concept so much. The idea is to
invite everyone who have some unspecified level of influence on the
Infrastructure of the Internet. There's a slippery slope if ever I saw one.
This will either be a closed group of a few powerfull vendors -- locking
out everyone that don't have enough cash, or clout, or reputation, or
speaks poor English, or... -- or a free-for-all that is uncontrollable but
still hampers communication to those that don't devote their lives solely
to BIND.

I don't so much mind a Cabal, I just want the Cabal to be upfront about it
(tinc). If, say, Paul hand-picked people he knows works a lot with BIND,
and can be trusted, that gets a head start on this type of issue, I
wouldn't mind so much. But this is an unspecified and unspecifieable group
of people -- that just happens to include Big Ass Corporations with
questionable motivations (the Corp. not the individual people in them) --
but which _explicitly_ does *not* include the majority of those affected by
a hole in BIND; namely the poor overworked and underappreciated Security
people and Systems Administrators out there.



The difference?

In the one case I can take proper precautions. In the second case I can
pray I don't get rooted while the ISC and their buddybuddies smoke cigars
in their back room.

In the first case I can make an informed decision. In the second case I
have to make some emergency upgrade with the CEO breathing down my neck,
after the article he read on CNN.com, and asking why we aren't running
Micros~1 DNS.

In the first case I can do some quick ckecks and make sure I'm not
compromised and evaluate the probability given that the kiddies haven't
really got any canned exploits yet. Meanwhile, in the other scenario, the
kiddies have had their plug'n'play exploit for a godsbedamned _month_ and
to be _absolutely_ certain I'm not compromised I have to reinstall every
BIND box on my net.


I will happily accept that there are people that are more important to the
health of the Internet then me, but I *will* *not* be left standing alone
in the isle with an empty bowl going "Please, Sir. Can I have some more?".
Unless you're prepared to take full responsibility for my servers, don't
elevate yourself to the position of dictating what's best for me. The ISC
has an obvious right to do whatever the hell they want, but on the
assumption that what they want is to do what's best for everyone, the right
thing is to give me the information I need to do my job and get the hell
out of the way.

The whole _point_ of open software is that you can modify it yourself
instead of having to rely on the vendor to do it for you. The ISC is
currently of the opinion that when it comes to security info, this doesn't
apply. Since I didn't pay them for BIND I can't even call them up an yell
at them until they ship a fix (though I could probably yell at Nominum ;D).
Meanwhile, the boss is more then happy to yell at me. And what he's usually
yelling is "Switch to MS DNS already! At least they give you a support
contract. At least they are legally accountable!" And as all CEOs know,
Micros~1 software doesn't have any bugs or security holes...



-- 
By definition there is *no*way* any problem can be my fault. Any problems you
think you can find in my code are all in your imagination. If you continue
with such derranged imaginings then I may be forced to perform corrective
brain surgery... with an axe.       -- Stephen Harris <sweh at spuddy.mew.co.uk>


More information about the bind-users mailing list