FYI -------- Original Message -------- Subject: Re: [ga] Kaminsky on dns bugs - Bernstein responds Date: Fri, 08 Aug 2008 02:28:30 -0700 From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Organization: IDNS and Spokesman for INEGroup To: Joe Baptista <baptista@publicroot.org>,DOC/NTIA ICANN Rep <aheineman@ntia.doc.gov>,ICANN SSAC Dave Piscitello <dave.piscitello@icann.org>,"matthias.langenegger@icann.org" <matthias.langenegger@icann.org>,"Nevett, Jonathon" <jnevett@networksolutions.com> CC: Ga <ga@gnso.icann.org>, icann board <icann-board@icann.org>,Kieren McCarthy <kieren.mccarthy@icann.org>,Wendy Seltzer <wendy@seltzer.com>,"twomey@icann.org" <twomey@icann.org>,Peter Dengate Thrush <barrister@chambers.gen.nz>,GAC Rep <ssene@ntia.doc.gov>,Cheryl Langdon-Orr <cheryl@hovtek.com.au>,Nick Ashton-Hart <nick.ashton-hart@icann.org>,"Brendler, Beau" <Brenbe@consumer.org>,Carl Wallace <CWallace@cygnacom.com>,Carlton Samuels <carlton.samuels@uwimona.edu.jm>,Chuck Gomes <cgomes@verisign.com>,"Darlene Thompson," <DThompson@GOV.NU.CA>,Evan Leibovitch <evan@telly.org>,ICANN Marc Salvatierra <marc.salvatierra@icann.org>,ietf-nomcom Mailing List <ietf-nomcom@ietf.org>,"Jacqueline A. Morris" <jam@jacquelinemorris.com>,Jeff Neuman <Jeff.Neuman@neustar.us>,"Nevett, Jonathon" <jnevett@networksolutions.com>,Robert Guerra <robert@privaterra.org>,Roland Perry <roland@internetpolicyagency.com>,Siavash Shahshahani <shahshah@irnic.ir> References: <874c02a20808081918x7955ea24yc13506a6e7dfa915@mail.gmail.com> Dr.Joe and all, Yes of course, some of have known for years and stated such years ago right here on the GA when the old DNSO was still in existance, myself and yourself Joe, included. It's all in the archives, which I am sure by now Kent Crispin or someone at ICANN is scowering in case "Creative" editing can be deployed or "Artistically" utilized as has been done before and also reported accordingly. But not to worry, I have two other seperately archived copies of all those archives! >:) Joe Baptista wrote:

Well the long-awaited description of Dan Kaminsky's regarding the dns vulnerabilities was released as a 104-slide Powerpoint presentation:

http://www.doxpara.com/DMK_BO2K8.ppt

On slide 34 it claims that DJB (Dr. Bernstein) WAS RIGHT. This is something we all have known for years. But then Kaminsky went on to hang himself by saying that DJB was "NOT PERFECT, we're seeing (and patching, don't ask)". Kaminsky offers as an example that the birthday attack protection was not implemented by Bernstein because he believed port randomization was enough, and goes on to say that DJBDNS has other known issues too.

People this claim by Kaminsky is a load of crap and once again furthers my claim that the recent security issues are nothing more then the rehashing of old security problem that Bernstein addressed years ago.

In any case there was a response to this by Bernstein - the response is below. As you can see Bernstein supports what I have been going on about concerning these recent dns securities issues. The problems have been known for years and this is nothing more then a rehash of existing security issues to exploit user hysteria in the hope the world can be tricked into accepting yet another useless insecure protocol - being DNSSEC.

I agree with Bernstein that the recent patches don't fix the problem. In any case here is Bernsteins reply for the record.

regards joe baptista

---------- Forwarded message ---------- From: D. J. Bernstein<djb@cr.yp.to> Date: Thu, Aug 7, 2008 at 11:42 PM Subject: Re: Kaminsky on djbdns bugs To: dns@list.cr.yp.to

Kyle Wheeler writes:

...

That makes it easier for an attacker to guess the right number, but only somewhat (your chances per-guess go from one in four billion to, say, thirty in four billion). This criticism of djbdns seems somewhat... well, specious. http://cr.yp.to/djbdns/forgery.html has, for several years, stated the results of exactly this attack:

The dnscache program uses a cryptographic generator for the ID and query port to make them extremely difficult to predict. However,

* an attacker who makes a few billion random guesses is likely to succeed at least once; * tens of millions of guesses are adequate with a colliding attack;

etc. The same page also states bilateral and unilateral workarounds that would raise the number of guesses to "practically impossible"; but then focuses on the real problem, namely that "attackers with access to the

network would still be able to forge DNS responses."

I suppose I should be happy to see public awareness almost catching up

to the nastiest DNS attacks I considered in 1999. However, people are deluding themselves if they think they're protected by the current series of patches. UIC is issuing a press release today on this topic;

see below.

---D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago

DNS still vulnerable, Bernstein says

CHICAGO, Thursday 7 August 2008 - Do you bank over the Internet? If so, beware: recent Internet patches don't stop determined attackers.

Network administrators have been rushing to deploy DNS source-port randomization patches in response to an attack announced by security researcher Dan Kaminsky last month. But the inventor of source-port randomization said today that new security solutions are needed to protect the Internet infrastructure.

"Anyone who knows what he's doing can easily steal your email and insert fake web pages into your browser, even after you've patched," said cryptographer Daniel J. Bernstein, a professor in the Center for Research and Instruction in Technologies for Electronic Security (RITES) at the University of Illinois at Chicago.

Bernstein's DJBDNS software introduced source-port randomization in 1999 and is now estimated to have tens of millions of users. Bernstein

released the DJBDNS copyright at the end of last year.

Kaminsky said at the Black Hat conference yesterday that 120,000,000 Internet users were now protected by patches using Bernstein's randomization idea. But Bernstein criticized this idea, saying that it

was "at best a speed bump for blind attackers" and "an extremely poor substitute for proper cryptographic protection."

DNSSEC, a cryptographic version of DNS, has been in development since 1993 but is still not operational. Bernstein said that DNSSEC offers "a surprisingly low level of security" while causing severe problems for DNS reliability and performance.

"We need to stop wasting time on breakable patches," Bernstein said. He called for development of DNSSEC alternatives that quickly and securely reject every forged DNS packet.

Press contact: Daniel J. Bernstein <press-20080807@box.cr.yp.to>

-30-

-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084

Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827