[NA-Discuss] [At-Large] NY Times: Domain name system flaw causes security risk

Jeffrey A. Williams jwkckid1 at ix.netcom.com
Wed Jul 30 22:20:00 EDT 2008 

Beau and all,

  Interesting article, thank you for pointing it out.  Unfortunately Google.com is not
human/user-friendly what so ever.  Niether is ATT.NET, see:
http://private.dnsstuff.com/tools/dnsreport.ch?domain=att.net&token=00804ef97b248f4e1e176f83046dd019

  Further the responsibility resides with of this long standing DNS security hole has been
known for years, nearly a decade, it was right of Mr. Kiminsky to publicize it more
forcibly so that users will be more aware and be armed with good and accurate
information by which they can take measures to protect themselves accordingly,
either independently or through their service providers accordingly.

  ICANN and the IANA along with ISC through one Paul Vixie could, and
should have address this and many other less severe DNS security problems
long ago when they were first made aware of the problem, but balked to
a great degree in doing so.  This was long ago discussed on the old and
now defunct DNSO GA ML to which I have repeatedly given a URL
link to, and have a retained full independent archive of.  Sooner or later
ICANN is going to have to face the legal music for this one!

  I and our members have had, and will always have a zero tolerance
policy for those that act irresponsibly, or don't take corrective action
for known or suspected technical related security problems when they
knew better.  Paul Vixie and others knew well in advance of this
and other DNS security holes, and Paul is a very sharp fellow, so
he knew this problem was there and didn't strongly enough recomend
getting it fixed ASAP.  I like and respect Paul allot, but he dropped
the ball on this, and few others of this nature...


"Brendler, Beau" wrote:

> http://www.nytimes.com/2008/07/30/technology/30flaw.html?em&ex=1217649600&en=0be99c4e3c8f3c15&ei=5087%0A
>
> Excerpt:
>
> "The flaw that Mr. Kaminsky discovered is in the Domain Name System, a kind of automated phone book that converts human-friendly addresses like google.com into machine-friendly numeric counterparts.
>
> The potential consequences of the flaw are significant. It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank’s actual Web address would be sent to an impostor site set up to steal the user’s name and password. The user might have no clue about the misdirection, and unconfirmed reports in the Web community indicate that attempted attacks are already under way.
>
> The problem is analogous to the risk of phoning directory assistance at, for example, AT&T, asking for the number for Bank of America and being given an illicit number at which an operator masquerading as a bank employee asks for your account number and password.
>
> The online flaw and the rush to repair it are an urgent reminder that the Internet remains a sometimes anarchic jumble of jurisdictions. No single person or group can step in to protect the online transactions of millions of users. Internet security rests on the shoulders of people like Mr. Kaminsky, a director at IOActive, a computer security firm, who had to persuade other experts that the problem was real."
>
> ****************************************************************************
> ********
> SCANNED
>
> ****************************************************************************
> ********
> _______________________________________________
> ALAC mailing list
> ALAC at atlarge-lists.icann.org
> http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org
>
> At-Large Official Site: http://atlarge.icann.org

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1 at ix.netcom.com
My Phone: 214-244-4827

More information about the NA-Discuss mailing list