[NA-Discuss] [Fwd: Re: [ga] Kaminsky on dns bugs - Bernstein responds]

Fri Aug 8 05:29:07 EDT 2008

FYI

-------- Original Message --------
Subject: Re: [ga] Kaminsky on dns bugs - Bernstein responds
Date: Fri, 08 Aug 2008 02:28:30 -0700
From: "Jeffrey A. Williams" <jwkckid1 at ix.netcom.com>
Organization: IDNS and Spokesman for INEGroup
To: Joe Baptista <baptista at publicroot.org>,DOC/NTIA ICANN Rep
<aheineman at ntia.doc.gov>,ICANN SSAC Dave Piscitello
<dave.piscitello at icann.org>,"matthias.langenegger at icann.org"
<matthias.langenegger at icann.org>,"Nevett, Jonathon"
<jnevett at networksolutions.com>
CC: Ga <ga at gnso.icann.org>, icann board <icann-board at icann.org>,Kieren
McCarthy <kieren.mccarthy at icann.org>,Wendy Seltzer
<wendy at seltzer.com>,"twomey at icann.org" <twomey at icann.org>,Peter Dengate
Thrush <barrister at chambers.gen.nz>,GAC Rep <ssene at ntia.doc.gov>,Cheryl
Langdon-Orr <cheryl at hovtek.com.au>,Nick Ashton-Hart
<nick.ashton-hart at icann.org>,"Brendler, Beau" <Brenbe at consumer.org>,Carl
Wallace <CWallace at cygnacom.com>,Carlton Samuels
<carlton.samuels at uwimona.edu.jm>,Chuck Gomes
<cgomes at verisign.com>,"Darlene Thompson," <DThompson at GOV.NU.CA>,Evan
Leibovitch <evan at telly.org>,ICANN Marc Salvatierra
<marc.salvatierra at icann.org>,ietf-nomcom Mailing List
<ietf-nomcom at ietf.org>,"Jacqueline A. Morris"
<jam at jacquelinemorris.com>,Jeff Neuman <Jeff.Neuman at neustar.us>,"Nevett,
Jonathon" <jnevett at networksolutions.com>,Robert Guerra
<robert at privaterra.org>,Roland Perry
<roland at internetpolicyagency.com>,Siavash Shahshahani
<shahshah at irnic.ir>
References:
<874c02a20808081918x7955ea24yc13506a6e7dfa915 at mail.gmail.com>

Dr.Joe and all,

  Yes of course, some of have known for years and stated such
years ago right here on the GA when the old DNSO was still
in existance, myself and yourself Joe, included.  It's all in the
archives,
which I am sure by now Kent Crispin or someone at ICANN is
scowering in case "Creative" editing can be deployed or "Artistically"
utilized as has been done before and also reported accordingly.

  But not to worry, I have two other seperately archived copies
of all those archives!  >:)

Joe Baptista wrote:

>
> Well the long-awaited description of Dan Kaminsky's regarding the dns
> vulnerabilities was released as a 104-slide Powerpoint presentation:
>
>  http://www.doxpara.com/DMK_BO2K8.ppt
>
> On slide 34 it claims that DJB (Dr. Bernstein) WAS RIGHT.  This is
> something we all have known for years.  But then Kaminsky went on to
> hang himself by saying that DJB was "NOT PERFECT, we're seeing (and
> patching, don't ask)".  Kaminsky offers as an example that the
> birthday attack protection was not implemented by Bernstein because he
> believed port randomization was enough, and goes on to say that DJBDNS
> has other known issues too.
>
> People this claim by Kaminsky is a load of crap and once again
> furthers my claim that the recent security issues are nothing more
> then the rehashing of old security problem that Bernstein addressed
> years ago.
>
> In any case there was a response to this by Bernstein - the response
> is below.  As you can see Bernstein supports what I have been going on
> about concerning these recent dns securities issues.  The problems
> have been known for years and this is nothing more then a rehash of
> existing security issues to exploit user hysteria in the hope the
> world can be tricked into accepting yet another useless insecure
> protocol - being DNSSEC.
>
> I agree with Bernstein that the recent patches don't fix the problem.
> In any case here is Bernsteins reply for the record.
>
> regards
> joe baptista
>
> ---------- Forwarded message ----------
> From: D. J. Bernstein<djb at cr.yp.to>
> Date: Thu, Aug 7, 2008 at 11:42 PM
> Subject: Re: Kaminsky on djbdns bugs
> To: dns at list.cr.yp.to
>
>  Kyle Wheeler writes:
> > That makes it easier for an attacker to guess the right number, but
> > only somewhat (your chances per-guess go from one in four billion
> to,
> > say, thirty in four billion). This criticism of djbdns seems
> > somewhat... well, specious.
>  http://cr.yp.to/djbdns/forgery.html has, for several years, stated
> the
> results of exactly this attack:
>
>   The dnscache program uses a cryptographic generator for the ID and
>   query port to make them extremely difficult to predict. However,
>
>   * an attacker who makes a few billion random guesses is likely to
>     succeed at least once;
>   * tens of millions of guesses are adequate with a colliding attack;
>
> etc. The same page also states bilateral and unilateral workarounds
> that
> would raise the number of guesses to "practically impossible"; but
> then
> focuses on the real problem, namely that "attackers with access to the
>
> network would still be able to forge DNS responses."
>
> I suppose I should be happy to see public awareness almost catching up
>
> to the nastiest DNS attacks I considered in 1999. However, people are
> deluding themselves if they think they're protected by the current
> series of patches. UIC is issuing a press release today on this topic;
>
> see below.
>
> ---D. J. Bernstein, Professor, Mathematics, Statistics,
> and Computer Science, University of Illinois at Chicago
>
>
> DNS still vulnerable, Bernstein says
>
> CHICAGO, Thursday 7 August 2008 - Do you bank over the Internet? If
> so,
> beware: recent Internet patches don't stop determined attackers.
>
> Network administrators have been rushing to deploy DNS source-port
> randomization patches in response to an attack announced by security
> researcher Dan Kaminsky last month. But the inventor of source-port
> randomization said today that new security solutions are needed to
> protect the Internet infrastructure.
>
> "Anyone who knows what he's doing can easily steal your email and
> insert
> fake web pages into your browser, even after you've patched," said
> cryptographer Daniel J. Bernstein, a professor in the Center for
> Research and Instruction in Technologies for Electronic Security
> (RITES)
> at the University of Illinois at Chicago.
>
> Bernstein's DJBDNS software introduced source-port randomization in
> 1999 and is now estimated to have tens of millions of users. Bernstein
>
> released the DJBDNS copyright at the end of last year.
>
> Kaminsky said at the Black Hat conference yesterday that 120,000,000
> Internet users were now protected by patches using Bernstein's
> randomization idea. But Bernstein criticized this idea, saying that it
>
> was "at best a speed bump for blind attackers" and "an extremely poor
> substitute for proper cryptographic protection."
>
> DNSSEC, a cryptographic version of DNS, has been in development since
> 1993 but is still not operational. Bernstein said that DNSSEC offers
> "a
> surprisingly low level of security" while causing severe problems for
> DNS reliability and performance.
>
> "We need to stop wasting time on breakable patches," Bernstein said.
> He
> called for development of DNSSEC alternatives that quickly and
> securely
> reject every forged DNS packet.
>
> Press contact: Daniel J. Bernstein <press-20080807 at box.cr.yp.to>
>
> -30-
>
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084
>
>
Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1 at ix.netcom.com
My Phone: 214-244-4827