On Sat, Jan 2, 2010 at 5:54 PM, Jorge Amodio <jmamodio@gmail.com> wrote:
On Sat, Jan 2, 2010 at 12:51 PM, Patrick Vande Walle <patrick@isoc.lu> wrote:
Joe Baptista wrote, On 31/12/09 17:20:
This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own. Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case it is the UDP protocol that is vulnerable to attack.
This problem has existed for at least 15 years. I remember it existed in the 1990's when I was commissioned to investigate vulnerabilities in military DNS servers.
That's interesting. Any pointers to the to the study you released at the time, that may justify your claim that you discovered the vulnerability 14 year before Kaminsky ?
I believe that !Dr.Joe at that time was still playing with fax machines.
No - that is incorrect. I stopped playing with fax machines back in 1995. By 1997 I was subcontracting the fax stuff for FOI. I'm not sure I would call what I was doing playing. It cost the taxpayers of Ontario a pretty penny to be considered playing. But I digress. In fact it was in 1995 that I started warning government and people about Internet vulnerabilities. I was on the discovery network that year and addressed how vulnerable we are to dependence on the Internet. And as of today - in fact long before today - all of my concerns have been proven. Cyber attack after cyber attack as reported by the local press. When I or the great Bernstein warn people DNSSEC is a trap then I think you may wish to investigate further. Even the economics to introduce DNSSEC when the problem can be solved once and for good using DNSCurve shows how a small group of people are pulling the wool over our eyes.
But there are several papers/proceedings that pinpointed many vulnerabilities and potential attach schemes to TCP/IP and other protocols/systems such as DNS, none from !Dr.Joe.
Not correct. There are one or two things from me concerning DNSSEC and other things. But I never claimed to author any papers here - so your getting ahead of yourself there. regards joe baptista
A good pointer to just start with the classics are Steven Bellovin's publications available at http://www.cs.columbia.edu/~smb/papers/<http://www.cs.columbia.edu/%7Esmb/papers/> .
A particular one where Steven introduced the issue of cache poisoning (that at that time was called contamination) is http://www.cs.columbia.edu/~smb/papers/dnshack.pdf<http://www.cs.columbia.edu/%7Esmb/papers/dnshack.pdf>
I've also the ppt presentation somewhere if you are interested.
Regards Jorge
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: http://baptista.cynikal.net/