Re: how to get people to upgrade? (Re: The weak link? DNS)
The ISC would host a zone that would contain TXT records with security/bug advisories for every version:
I have a better idea. ISC could set up a web page that would contain security/bug advisories for every version. In order to make it easier for people to find this web page, it could be listed in various directories such as CERT. And it could also be put into search engines so that someone could go to Google, type in "BIND bug site:isc.org" and click "I'm Feeling Lucky".
yadda yadda yadda...
Indeed! Let's face it folks, DNS is not the tool of choice for publishing anything other than the mapping between hostnames and IP addresses. For some things the web is better. For others LDAP is better. And for the problem that Paul mentioned at the beginning there is only one solution; the press. The fact is that Paul wants to catch the attention of people who aren't paying attention right now. He has stated that email notices don't work and we can assume that the BIND security web page, and CERT's web pages also don't work. No, there is only one thing Paul can do right now. a. Collect some realistic numbers as to the number of DNS servers that are vulnerable to the various exploits. Ask people who do network scanning to provide some statistics on what they see and scale them up according to the number of hosts in the host-count database. For example, assume that someone has scanned N hosts and discovers that N/10 are running BIND and that 40% of those are vulnerable. Also assume that the hostcount shows 20 million hosts in the world. Infer from this that there are 2 million BIND servers and that there are 800,000 vulnerable ones. But do the calculations with some real data, not my example figures. b. Write a press release with the following headline: N Thousand Internet Servers Suffer Same Fate as Iraqi Server Or maybe write some variation on this but keep it scary and keep Iraq in the headline. The body of the press release should explain the attacks that the Iraqi server was suffering from, then point out how many other servers are also vulnerable and then point out how terrorists could use these vulnerabilities against us. If you can, name some specific organizations where you know the vulnerability exists. Pick a large organization or two that has many nameservers and the vulnerability exists in some obscure corner of the organization, not on their main nameservers. They really can't sue over this because you haven't damaged them by disclosing enough detail for an attacker to use. c. release to both the national press and the computer/network trade press. That's how you get people's attention and that's also how the clueful technical people get the authority and funding to go in and fix the vulnerable boxes. As long as we continue to play games and pretend that Internet operations is still the old boys club that it once was, we will continue to suffer from these nagging issues. People on the NANOG mailing list do not run the Internet anymore. NANOG's market share of network operations people has been steadily shrinking as the Internet has grown. This may still be the moist clueful gathering place, but there are an awful lot of people out there today designing, building and operating networks, who have never heard of NANOG. There is no universal forum anymore. The Internet isn't special anymore. --Michael Dillon
What are you talking about, DNS check option will work great for BIND, I mean if BIND can not get to the root server and thereafter to ISC, you don't have to worry about it getting hacked, its probably not connected to internet. And dns already provides ability for ISC to have multiple diverse dns servers in different parts of the world in case you can't get to one of them, so access to these TXT records is assured. And I really do like how Jeff finished with good example what I had in mind in my original email. I still think it might be worth it to ask for email administrator email address during setup and have that added to named.conf as its own special parameter and when its not present then email can go to root or postmaster or possibly hostmaster address from the first zone listed (I'm not sure which is better...) and this system also has to be presented to the user (possibly as default on option), but they must also know what the sytem would be doing (i.e. that you for example will have list of their ips) as some already expressed privacy concerns on this being done automaticly without turn-off option. On Wed, 26 Mar 2003 Michael.Dillon@radianz.com wrote:
The ISC would host a zone that would contain TXT records with security/bug advisories for every version:
I have a better idea.
ISC could set up a web page that would contain security/bug advisories for every version. In order to make it easier for people to find this web page, it could be listed in various directories such as CERT. And it could also be put into search engines so that someone could go to Google, type in "BIND bug site:isc.org" and click "I'm Feeling Lucky".
yadda yadda yadda...
Indeed!
Let's face it folks, DNS is not the tool of choice for publishing anything other than the mapping between hostnames and IP addresses.
For some things the web is better. For others LDAP is better. And for the problem that Paul mentioned at the beginning there is only one solution; the press.
The fact is that Paul wants to catch the attention of people who aren't paying attention right now. He has stated that email notices don't work and we can assume that the BIND security web page, and CERT's web pages also don't work. No, there is only one thing Paul can do right now.
a. Collect some realistic numbers as to the number of DNS servers that are vulnerable to the various exploits. Ask people who do network scanning to provide some statistics on what they see and scale them up according to the number of hosts in the host-count database. For example, assume that someone has scanned N hosts and discovers that N/10 are running BIND and that 40% of those are vulnerable. Also assume that the hostcount shows 20 million hosts in the world. Infer from this that there are 2 million BIND servers and that there are 800,000 vulnerable ones. But do the calculations with some real data, not my example figures.
b. Write a press release with the following headline:
N Thousand Internet Servers Suffer Same Fate as Iraqi Server
Or maybe write some variation on this but keep it scary and keep Iraq in the headline. The body of the press release should explain the attacks that the Iraqi server was suffering from, then point out how many other servers are also vulnerable and then point out how terrorists could use these vulnerabilities against us. If you can, name some specific organizations where you know the vulnerability exists. Pick a large organization or two that has many nameservers and the vulnerability exists in some obscure corner of the organization, not on their main nameservers. They really can't sue over this because you haven't damaged them by disclosing enough detail for an attacker to use.
c. release to both the national press and the computer/network trade press.
That's how you get people's attention and that's also how the clueful technical people get the authority and funding to go in and fix the vulnerable boxes. As long as we continue to play games and pretend that Internet operations is still the old boys club that it once was, we will continue to suffer from these nagging issues.
People on the NANOG mailing list do not run the Internet anymore. NANOG's market share of network operations people has been steadily shrinking as the Internet has grown. This may still be the moist clueful gathering place, but there are an awful lot of people out there today designing, building and operating networks, who have never heard of NANOG.
There is no universal forum anymore. The Internet isn't special anymore.
--Michael Dillon
On Wed, 26 Mar 2003 08:14:45 PST, william@elan.net said:
What are you talking about, DNS check option will work great for BIND, I mean if BIND can not get to the root server and thereafter to ISC, you don't have to worry about it getting hacked, its probably not connected to
Keep in mind that the *really* damaging security incidents tend to be the ones with skilled and/or insider attackers. And if you've scored some secretary's PC inside the corporate net, a DNS server inside the net (and unable to contact the outside world) makes a GREAT way to leverage the foothold....
participants (3)
-
Michael.Dillon@radianz.com
-
Valdis.Kletnieks@vt.edu
-
william@elan.net