Kaminsky On DNS Bugs a Year Later and DNSSEC 127
L3sPau1 writes "Network security researcher Dan Kaminsky has had a year to reflect on the impact of the cache poisoning vulnerability he discovered in the Domain Name System. In the time since, Kaminsky has become an advocate for improving security in DNS, and ultimately, trust on the Internet. One way to do this is with the widespread use of DNSSEC (DNS Security Extensions), which essentially brings PKI to website requests. In this interview, Kaminsky talks about how the implementation of DNSSEC would enable greater security and trust on the Net and provide a platform for the development of new security products and services."
Re:new security products and services? great. (Score:5, Insightful)
Better than generating fear to reduce the rights of your citizens...
Re:new security products and services? great. (Score:5, Insightful)
Sincerely,
Both Political Parties.
Re:new security products and services? great. (Score:5, Insightful)
The Kaminisky bug is real, and its being used out in the wild. This is not a hypothetical academic exercise. DNS needs to be secured. Its not fear mongering, and its not for profit.
Many of these security consultants you speak of are not consultants at all, but experts working on this stuff in their free time for the betterment of the internet.
You just think that way because you haven't been.. (Score:5, Insightful)
.. hit yet.
Security is a tricky thing. You say security people sell you things "you don't need". But if you wait until you NEED security, it is already too late because you have a breach.
Security is not an ER visit, it is a regular preventative exam with your physician. It is something you have to take a pro-active approach with. Yes, this oten means investing time and money in something that has no immediate ROI. But that is the nature of the problem you are dealing with.
Re:Optimistic guy (Score:1, Insightful)
Kaminsky is incredibly enthusiastic about DNSSEC. ... to the point where someone not too knowledgeable (like I am) wonders if DNSSEC really is that amazing or if he was just high.
I guess it depends if you care about getting the correct IP address back when resolving a host or not.
Personally, when i type google.com into a resolver, I kinda like to get one of the IPs google wants returned for it, and not an IP the ISP or a hacker wants returned for it.
To each their own thou!
Re:I don't wanna put a subject. -OK, house analogy (Score:1, Insightful)
That's kind of the point. Dan has found a flaw in the basement of your house.
The entire house is in jeopardy, no matter how well built. Every house affected.
Do you :
A: Call Kaminsky a damn liar, denounce his snake oil, sip your turpentine.
B: Stucco and paint every 10 days, whistling to yourself forcefully.
C: Try to jackhammer out the flaw and form up some new foundation meantime
D: Nuke the house from orbit, start from scratch, total web tech re-over in IPv6
I think Dan proposes C and eventually D. Most people stuck on A and B.
But hey, when the internet fails, just think of all the free time you'll have.
Dumb Question (Score:3, Insightful)
But since I don't claim to understand DNSSEC I'll ask it: how secure is DNSSEC against abuse by governments?
Re:You obviously have no idea what your talking ab (Score:3, Insightful)
Let me give you a summary of how interaction with "security consultants" usually goes:
1. Customer gets cold called or sees some FUD on local TV, or portscans or the "consultant" has some dude in Malaysia digging around to find the sites hosted for pennies an hour.
2. Customer gets bilked out of a couple hundred dollars for a 'security audit' (a scan using a common tool with default settings usually)
3. Customer fails to understand any of it.
4. Passes a FUD report on to my desk, and proceeds to piss and moan or wring hands.
5. I have to stop what I am doing and examine the bogus report, then make a time consuming write up, explaining why having port 80 open is not a big deal and that it's typically not possible to be running both IIS and AIX (Unix) on the same box.
6. "security consultant" either tries to sell the user a open source program, Barracuda box (puke) or just laughs all the way to the bank, or even better yet starts bugging me about being honest with the customer (who is now unhappy about the fee charged).
This sequence repeats with every new BS bug, news story, or any time the economy is flush with IT money.
The "security consultant" is never really concerned about security, only money. Most of the time they don't know anything, sometimes they are outright brain-dead stupid and want to do things like put a notice "Please do not hack our web site" on every page because they think it won't be illegal to deface if the notice is not there. (Yes, that's really what they wanted.)
Replace the "security consultant" with the following types; "copyright protection scanning" and "defacement warning monitoring" (THAT is a bullshit scam) and "version back ups" and you have a whole world of suck. Thankfully the economy has been bad for a while so mom&pop shops are slamming the door on a two hundred dollar expense for an audit.
Maybe Kimansky himself won't be doing this, however a legion of other folks will be following shortly behind that will. The dream to update DNS is nice, but it's a stupidly impractical thing to be demanding everybody do right now. Aside from a few articles here and there, the "real world exploits" for this stuff, where someone actually gets harmed... well, where are THOSE reports?
A: because it breaks the flow of a message (Score:4, Insightful)
Re:None of it as implemented is about security (Score:4, Insightful)
You can get wildcard certs. for HTTP as well. They cost lots and lots of $$$
You wonder how much getting a domain signed is going to cost... thing Verisign is going to turn down a cash cow that big? I'd be surprised if they charge less than $1000 per domain.
Ultimately, as Verisign signs the root, all paths (and all money) leads to them - and that's why they're pushing DNSSEC so much.