101 Comments so far

• Nate McFeters

  July 21st, 2008 7:51 pm

  Tom, well written and sincere apology.

  -Nate

• Rudd-O

  July 21st, 2008 8:32 pm

  Good apology. If you had something to apologize for. Perhaps for betraying the trust someone deposited in you. But surely not for informing.

  The underlying premise of this entire article is “we keep it closed, we avoid security attacks”. Which is flawed on two counts: the bad guys very likely have been using this (especially after the contentless advisory issued a few days ago) and it creates (confirmed) moral hazards that harm us all.

  We deserve the right to make informed decisions. The entire process behind this “responsible” disclosure of the vulnerability (and most vulns today) actually impinges on that goal.

  Look, we’re not asking for PoCs, alright? But, at the very least, can we stop pretending like you (not you Thomas, but the security research community) are not actually *conspiring to bury* stuff when writing contentless advisories?

• sorcy

  July 21st, 2008 8:43 pm

  yeah.. I was wondering about that. I started rssing your blog some time ago, and the post in question was cached by my reader. It was already off your blog by the time I hit your site (which was 30 mins later), but once something’s published on the net, there’s no taking it back.

  As you would say, The cat is out of the bag.

• Jesse

  July 21st, 2008 8:45 pm

  Let’s not start (another) debate here about whether we have a right to know or not.

  The bottom line in this case is pretty simple - If person Dan tells Thomas some information only because Thomas agrees to unconditional secrecy, then it’s really not up to Thomas. He’s got to keep his word, and that’s pretty much it.

  If Thomas had found it out on his own after hearing that there is some unknown issue, he’s free to do as he pleases. But, when you get information with a condition attached that you agree to, you pretty much have to honor that.

  Not knocking Thomas here, it was obviously a regrettable mistake. Just saying, please no more rants about the (non) disclosure process, as it isn’t relevant in this case.

  OTOH, did anyone _seriously_ expect that details wouldn’t be discovered or leaked before Black Hat?

• Marcin

  July 21st, 2008 8:54 pm

  I’d like to thank ecopeland for leaking the details and confirming Halvar’s hypothesis. I’d like to thank Halvar even more for his perseverance and not letting anyone stop him from speculating as to what the vulnerability could possibly be.

  Halvar, you rock. Matasano, thanks for delivering.

• Jesse

  July 21st, 2008 8:59 pm

  Halvar’s hypothesis wasn’t correct, though.

• grey

  July 21st, 2008 9:04 pm

  So who is ecopeland anyway? Digging through my logs of the blog and google turns up nothing but that one article. The Keyser Söze of Matasano?

• tyme

  July 21st, 2008 9:17 pm

  The cat was out of the bag a while ago. Note the description section of http://www.secpod.org/advisories/10109.html (appeared on full-disclosure on 2008-07-10 05:45:16). It alludes to the critical element of bogus additional RRs. It’s the only advisory I saw that mentioned that, but it only takes one.

  The question now is, will Matasano keep the full description off of this blog until someone posts working code?

  Every day after CoordinatedPatchDay was a gift. Yeah, you might have messed up, but if Dan didn’t realize he was already on borrowed time when the patches arrived, he only has himself to blame for his disappointment.

• Nate

  July 21st, 2008 9:26 pm

  Jesse, are you claiming Halvar’s description is incorrect? I’m convinced that it was correct or some small variant on it. I said as much to a reporter who contacted me this morning. Explain to me why I’m wrong.

• Thomas Ptacek

  July 21st, 2008 9:33 pm

  Everyone:

  We’re in a bit of a tight spot here. We can’t moderate comments piecemeal, so anyone who’s posted something here before can post now. We don’t want to turn off comments on this post, because it’s really helping us to hear how people are handling this.

  But we don’t want to make things worse than how they already are. There are other blogs talking about technical details now. Can I ask a favor of all of you not to make our comment threads, which are almost always better than our posts, the epicenter for distributing DNS info today?

• Statler and Waldorf

  July 21st, 2008 9:44 pm

  Enough of this kerfluffle! Where the hell are my fridge magnets?

• tyme

  July 21st, 2008 9:45 pm

  Nate: as I understand it, the additional RR is the key. You can’t keep requesting the foo.com NS record and trying to poison with forged responses because it’ll be cached. You can keep requesting bogus_random.foo.com, because each different one will generate a new recursive query. Then mallory can reply with a foo.com NS record (or http://www.foo.com A record) as an additional RR.

• Dan Kaminsky

  July 21st, 2008 9:57 pm

  Tom–

  Seriously? A favor, to not post technical information, on this public forum?

• Thomas Ptacek

  July 21st, 2008 10:01 pm

  I just thought maybe you wouldn’t want it all here, Dan. But if you object, I’ll delete the request.

• Dan Kaminsky

  July 21st, 2008 10:06 pm

  Please leave the request.

• Ulysses

  July 21st, 2008 10:07 pm

  “We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure.”

  Ahem. To what purpose? I picked up the story from other sites that mirrored it. And looks like it is, with all the details, a rehash of what Kaminsky *was* to present at BH Vegas 2008.

  Was it an exercise on “hey, let’s explain what the problem is in terms that Joe Sixpack can understand, in case Dan made it more difficult than needs to be” ?

  “…or for other confirmed disclosure” - in case Dan was piss drunk and hence unable to post the details to his own site?

  Or am I missing the point? ’cause it certainly looks like you folks were about to ride on top of his research . . .

  I bet Kaminsky is pissed today - don’t hold your breath waiting for him to share any more details about anything any time soon . . .

  So, what was the point of having it “ready to go” ? Has the NY Times outsourced the “news from the Internet” section to matasano ?

• Thomas Ptacek

  July 21st, 2008 10:11 pm

  Dan: duly noted. The irony isn’t lost on me.

• Thomas Ptacek

  July 21st, 2008 10:12 pm

  Ulysses: I think those are all good points. I was overeager with this story.

• Brad Lhotsky

  July 21st, 2008 10:31 pm

  I got a chance to read the the story before it was pulled. I understand you feel you jumped the gun, but I don’t think any harm was done. I’ve heard through the grapevine that the exploit code has been available in certain circles for some time now.

  At the end of the day, DNS is a gaping hole in the security architecture of the internet. Even with all the patches applied the basic design decisions and necessities require a ridiculous amount of trust in completely untrusted entities.

  By posting the vulnerability and making the details available, you have enabled me to look for the problem. Sure, not everyone will look, but not everyone is running djbdns!

  Thanks for the post. I sincerely hope you consider releasing it soon.

• Matt

  July 21st, 2008 10:48 pm

  @Ulysses:

  Thomas and the other Matasano folks have a history of writing educational posts about impressive hacks. The post under discussion was very much in the mold of previous Chargen posts.

• CNN

  July 21st, 2008 10:55 pm

  this whole thing is wack, and people need to grow up… dan is a great researcher and brilliant dood.

  so is halvar..

  but hes obviously a prick as well..

  what ever happened to respect?

  cool, you speculate, you published details, you want a cookie?

  unreal

• Oops DNS Attack Disclosed! And once again DJB is the Shit! | Zero / Love

  July 21st, 2008 11:12 pm

  […] at Matasono’s blog to post a response. To bad Thomas Ptacek pulled it and posted “Regarding The Post On Chargen Earlier Today”. I love how elegantly Halvar Flake put it and I have to agree…. “In a strange way, if nobody […]

• Nate McFeters

  July 22nd, 2008 12:07 am

  @CNN

  As someone who knows Halvar personally, if not extremely well, he is most definitely not a prick. You don’t have to agree with how he handled this, but he’s no prick. He’s doing what someone in the security research community is supposed to do, figure out bugs. I heard Dan’s call for hush hush, as did others, but not everyone believes it should’ve been handled the way that Dan chose. Can’t fault them for that.

  -Nate

• Liquidmatrix Security Digest » DNS Exploit Is Out Of The Bag

  July 22nd, 2008 12:12 am

  […] published an apology soon afterward, We removed it from the blog as soon as we saw it. Unfortunately, it takes only […]

• Jeff

  July 22nd, 2008 12:42 am

  @Nate McFeters

  Dan called for a lid on speculation, but simultaneously issued a challenge, offering to bring anyone who figured out the vulnerability on stage at Blackhat. That’s the thing I don’t get in all this.. I can understand both the desire to keep speculation under wraps, and give folks time to patch, as well as the desire to figure out the mystery - that’s the nature of people in this field after all. But to simultaneously present both sides seems… weird. You can’t have your cake and eat it too after all.

• Chris

  July 22nd, 2008 1:48 am

  I would appreciate some info for the stoopid users. There was an Windows update and also updates Linux packages for this flaw, right? Is the normal enduser already protected from this? Or is it a DNS-server-side flaw no matter what I do?

• Dan Kaminsky

  July 22nd, 2008 1:48 am

  Jeff,

  Actually, the idea there was to see if I could get some attention on some new blood. I don’t know if you’ve noticed (FX did a while back, to fairly deafening silence) but we’re not exactly good at bringing in new kids and giving them a stage to be heard. Mudge really inspired me early on, with nothing but a positive reaction to a clarification I made from the audience. I thought it’d be interesting to open things up, maybe have a couple of college kids or random sysadmins explore something new and get rewarded for it — while, you know, keeping the infrastructure safe.

  And, you know, for the half dozen or so people who figured this out before Halvar, that would have been really nice.

  Nate, I do believe our job is to help get bugs fixed. There’s a subtle but important difference.

• Thomas Ptacek

  July 22nd, 2008 1:52 am

  Dan: I know what you mean about that. I had the same experience with Mudge, San Mehat, and Ramsey Dow, back in the ’90s. And every time I’ve ever underestimated some 19 year old — pretty much every time — I’ve gotten depantsed as a result.

• Lap Cat Software Blog » Blog Archive » SECURITY ALERT: check your DNS servers

  July 22nd, 2008 2:18 am

  […] full details of the infamous DNS vulnerability have been inadvertently disclosed. The post was pulled, but I can still read it in my Vienna […]

• ivan

  July 22nd, 2008 3:04 am

  ah gimme a break! Do you actually expect people to just go in the kennel and shut up about the problem if they thought the figured it out by themselves? What do you expect them to do? send an email to their 31337 security buddies with subject “one for the inner core”? (http://securitydigest.org/core/archive/120)
  Anyway if what I’ve read is actually Dan’s attack I’m disappointed (eh right, nobody cares anyway). I don’t see why it justifies randomizing source ports any more than the previously known problems. Amit Klein talked about CNAME and NS referral chaining already and forcing a series of random queries to bring back to life a birthday attack. I suspect there is more than just that in Dan’s finding. I also suspect that Vixie’s pointer to a a DNS server that answers a query with a chained CNAME/NS response may also be telling but then again this is all pure speculation and I’m told I should not be doing that because it may break the interneks

• bb

  July 22nd, 2008 3:10 am

  “Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error.”

  “Appeared”?? “Posted in error”? What the hell!?

  Can somebody translate that to me?

• Stefan Esser

  July 22nd, 2008 3:21 am

  Great,

  so the security theater and media circus ochestrated by Dan Kaminsky and friends is finally over.

  It was so absurd that people actually played the Kaminsky game such a long time for no obvious reason. Keeping information like a DNS spoofing vulnerability closed from the general public and security researchers while many (bad) guys already know the details is NOT PROTECTING the internet. It is actually the opposite.

  Do you really believe the Kaminsky circle of 18 (or was it 17) were the only ones knowing the details. How many members of that circle did really keep their mouth shut? How many of them are backdoored/owned (whatever)?

  I congratulate Halvar for stepping up and beeing a real researcher and not a Kaminsky puppet.

  Stefan Esser

• Μεγάλης κλίμακας πρόβλημα στους DNS servers « Blogs are like opinions. Everybody has one…

  July 22nd, 2008 4:23 am

  […] DNS Forgery in 2008: Kaminsky’s Discovery ← Το έχουν κατεβάσει. Εγώ το είδα από το Google Reader. Posted by adamo Filed in DNS, […]

• silky

  July 22nd, 2008 4:31 am

  @stefan

  whether you think dan was right or wrong matasano fucked up by posting what should’ve been private. anyone else is allowed to post it; but after matasano was told they should’ve definitely kept it private out of obligation to their agreement with dan. bullshit that it was broken here. fine if it happened elsewhere; but it didn’t.

• interested

  July 22nd, 2008 5:36 am

  Your pulled blog is also mirroed on http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html

• Alecco Locco

  July 22nd, 2008 6:15 am

  Hi.

  You are very professional and responsible. But I think this apology is overdoing it. A Linux advisory disclosed the cause on its description 11 days ago. Halvar Flake only put it more evidently.

  Take it easy.

  Alecco

• Dan Kaminsky’s DNS Attack Leaked

  July 22nd, 2008 6:21 am

  […] The Matasano blog has now a new post regarding the previous post […]

• Multiple DNS implementations vulnerable to cache poisoning, getting time to patch | vanimpe.eu

  July 22nd, 2008 6:43 am

  […] are commenting (here and here) whether or not the cat has been let out of the bag or not. The exploit has been out there […]

• foxnews

  July 22nd, 2008 7:39 am

  Nice apology, but the irony is not lost.

  The details were not Matasano’s to publish, even if someone else decided to take a stab at it. Shouldn’t Dan be the one to confirm (or not) the research? After publicly lashing Dan for playing the media (initially), it appears that Matasano was eager to do the exact same thing by having this post ready.

  Cat. Kettle. Oops.

• hybriz

  July 22nd, 2008 7:51 am

  Stefan: exactly!

  “Do you really believe the Kaminsky circle of 18 (or was it 17) were the only ones knowing the details. How many members of that circle did really keep their mouth shut? How many of them are backdoored/owned (whatever)?”

  at least half of them are owned.

• Luke

  July 22nd, 2008 8:44 am

  @tyme
  Cat was out of the bag even earlier.

  07/08/2008 02:46:15 PM VU#800113 Multiple DNS implementations vulnerable to cache poisoning

  http://www.kb.cert.org/vuls/id/800113

  Credit

  Thanks to Dan Kaminsky of IOActive for identifying the effectiveness and practicality of DNS cache poisoning, and to Paul Vixie of Internet Systems Consortium (ISC) for raising the urgency of these issues. Daniel J. Bernstein is credited with the original idea and implementation of randomized source ports in the DNS resolver.

  This document was written by Chad R Dougherty.

• 48Bits Blog » Blog Archive » Lamenteibol.

  July 22nd, 2008 8:46 am

  […] para siempre. Y entonces ya está liada. Slashdot se hace eco de la movida, y Ptacek publica una nota disculpándose y diciendo que por error se publicó el post. HOYGA, un tio con la trayectoria de […]

• someone_not_in_academia

  July 22nd, 2008 10:10 am

  Candidate for epic fail punt punt!

• Thomas Ptacek

  July 22nd, 2008 10:12 am

  Little bit, yeah.

• Zero Day mobile edition

  July 22nd, 2008 10:15 am

  […] done), forcing Kaminsky to acknowledge that his Black Hat thunder was stolen.   Ptacek has since apologised but there are so many ruffled feathers, it’s hard to imagine things being the same in the […]

• Walsh

  July 22nd, 2008 10:21 am

  I understand having a post teed up. If the agreement between Kaminsky and Ptacek permitted ecopeland to be informed, this was a simple mistake. If not, it was a more complex mistake.

• Jedi Mercer

  July 22nd, 2008 10:38 am

  Um, does this mean we can hold you liable now if someone p0wns our domains?

  

  (Ok, it’s not terribly funny *now*…)

• Phil Groce

  July 22nd, 2008 11:29 am

  I, too, got the original article in my RSS reader cache. I understand the reasoning behind taking it down, but it was a very cogent and engaging description of the problem. I hope you consider putting it back up after BH; I think it will be educational.

• Techokami

  July 22nd, 2008 11:52 am

  Despite apologizing for making probably the most boneheaded blunder of this website’s life, I still want to simply say:

  Smooth move! You’ve doomed us all! =(

• sigsegv

  July 22nd, 2008 12:08 pm

  Hmm… what an interesting turn of events.

  So, tell me Tommy, if you can’t keep info private as a favor to a friend of yours that you respect (and who was nice enough to give you vuln info after you made a condescending post to a public blog about him and the vuln he found), how can we expect you to honor NDAs you may have with clients? Why should you expect your co-workers and interns to find 0day for you and then “never talk about them” (your exact words)? Seems like a bit of a double standard to me Tommy.

  All whitehats are the same no matter how well known they are. They’re all a bunch of attention seeking media whores. At least Dan was nice enough to work with vendors to get the vuln patched. I have a feeling that the Matasano crew would have put a PoC on milw0rm and a self glorifying blog post on chargen.

  Way to go Tommy. Way to go.

• DNS Fool » DNS Attack Details Come Early

  July 22nd, 2008 1:03 pm

  […] around the Internet.  Although the post has since been taken down, and the Matasano team has apologized, the text of the post is available all around the Internet.  The cat is out of the bag, so […]

• milw0rm add!ct

  July 22nd, 2008 1:30 pm

  You wrote “Dan did phenomenal work on this research”

  I will kindly disagree today and at Black Hat.

  Dan did not ONCE ask permission to use every one’s DNS as his personal testing grounds and has merely spotlighted an older well documented problem.

  Thank fully he did and I am appreciative of most of his efforts yet this is one large item most everyone has decidedly ignored.

  My two cents, FWIW

• Jeff

  July 22nd, 2008 2:04 pm

  @Dan

  Now that you’ve explained the reasoning, it makes a bit more sense. Still, I’m sure you can understand how those two points seemed a bit at odds.

  As one of the ‘new kids’ albeit an early-30s new kid with a bunch of operational experience just recently moving into a security role, I definitely appreciate any efforts to help bring new blood into the fold. Personally, I’ve found many of the more experienced people in the community to be welcoming. I’m sure you don’t remember, but I ran into you at the Defcon bar last year and we (and some other people) stayed up drinking until late in the night, while you re-played your Blackhat presentation in more detail, and answered many folks questions. That sort of approachability (and that which Thom shows at every Chi-Sec, even though I’ve only rarely attended) really help to expand the community and welcome new ideas. Ultimately that’s a good thing for those we aim to protect. I’m way off topic here, but there you have it.

  Anyhow, good work on this vulnerability. I know you’ve been taking a lot of flak for the disclosure process you’ve chosen, but it really seems the industry as a whole doesn’t have any way to please everyone. Regardless of what anyone thinks of the actual process, I’m sure most will agree that your intention in this was (and is) noble.

• John McDonald

  July 22nd, 2008 2:05 pm

  Going back to what Ivan said, wasn’t rdist awesome?

• anonymous

  July 22nd, 2008 2:05 pm

  Walsh: I can’t see why Tom would que a post on his blog. Maybe gpg encrypted on his laptop but here? it is running wordpress after all.

  Isn’t ecopeland your wife’s name?

• Thomas Ptacek

  July 22nd, 2008 2:15 pm

  I asked to get a post queued up in anticipation that the story would break yesterday, after Halvar published in the morning. The intent was for it to go live once Kaminsky confirmed Halvar. Among other things, I did two things I regret:

  (1) We staged the post on the blog; when we proofread it, we were playing russian roulette with the Wordpress UI to keep it “Unpublished”.

  (2) I decided that once the information was “in play” (confirmed by Kaminsky), it was open season. We have a huge audience, and we should have let it hit Kaminsky before we chimed in.

• Thomas Ptacek

  July 22nd, 2008 2:17 pm

  Erin’s a team member here, yes. She’s also my wife. This issue has basically nothing to do with her judgement, and everything to do with me and Jeremy’s.

• Byron Sonne

  July 22nd, 2008 2:47 pm

  Now I really wish I had ponied up the cash for BlackHat

  Either way, as soon as the story that Kaminsky was working on something big started making the rounds… then combined with an embargo on publication… really, what did folks think would happen?

  This has been a fantastic story so far, and it’s also been fascinating to see who’s taken what kind of a stance.

  Interesting times!

• Dan Kaminsky

  July 22nd, 2008 3:58 pm

  Tom–

  Please don’t attack Jeremy’s judgement. I never briefed Jeremy.

• Greg Martin

  July 22nd, 2008 4:27 pm

  In Texas we settle this type of stuff in person

• jf

  July 22nd, 2008 4:32 pm

  well congrats, you guys managed to squeeze your name in on dan’s find and garner some of the press for yourself. Is this a matasano marketing technique? Attack whoever is in the news now as a means of getting in the news also?

• Thomas Ptacek

  July 22nd, 2008 4:43 pm

  I’d gladly trade all of this press for none of this press, jf, but we deserve the hits we’re taking.

• Steve

  July 22nd, 2008 4:52 pm

  I’m still waiting on further news of playbook. Maybe you guys could drown your sorrows in product release….

• Thomas Ptacek

  July 22nd, 2008 4:54 pm

  Thankfully, Max and the Playbook team have been drunk with Playbook for awhile now, and far away from this debacle.

• jf

  July 22nd, 2008 4:56 pm

  Thomas,

  It feels similar to the stuff with Johanna a bit back.

• Thomas Ptacek

  July 22nd, 2008 5:01 pm

  In what sense? Peter, Nate, and I, both together and independently, spent months working on virtualized rootkit detection, based in part on a virtualized rootkit prototype built at Matasano. It was not an easy project. Joanna had the only other known virtualized rootkit besides Dino’s. The only thing I’d have done differently at Black Hat ‘07 is change the title of the talk; nobody got the joke.

  What would I have done differently here? Almost everything.

• New DNS exploits in the wild - Nirlog.com - Technology, Life and other stuff that come along…

  July 22nd, 2008 5:07 pm

  […] Kaminsky’s DNS exploits were posted by error in a blog and taken down quickly (which has this explanation now), but you can get the original post here or here. Download the source code for a DNS implementation […]

• Dangling-Pointer-Luvr

  July 22nd, 2008 5:24 pm

  [-ed redacted: Let’s stay on topic. ]

• jf

  July 22nd, 2008 5:24 pm

  Thomas,

  Okay, fair enough. As an outsider who didn’t pay a lot of attention, it seemed like an attack to garner press, realizing that I’m an outsider looking in on the situation, and didn’t really pay much attention to it, I can see how I may be mistaken in my impressions. It’s at least worth giving you et al the benefit of the doubt

• Thomas Ptacek

  July 22nd, 2008 5:27 pm

  It was a Black Hat presentation about our work on virtualized rootkit detection. It was certainly intended to gather press. That’s a big part of why people do Black Hat presentations.

  You don’t have to take our word for it or give us the benefit of the doubt, though: the slides from our talk are online, and they’re pretty detailed:

  http://www.matasano.com/log/925/slides-from-vt-x-rootkit-detection-talk/

• Hescominsoon

  July 22nd, 2008 6:23 pm

  this is bs. This should be fully disclosed..you don’t think the bad guys know already..you have your head in the sand. I can’t judge the severity and urgency for my clients because a select few elitists hide the details.

• Mike

  July 22nd, 2008 6:33 pm

  This apology sounds like a bunch of backpedaling bullshit to CYA after you guys screwed up.

  Way to go Matasano.

• sorcy

  July 22nd, 2008 7:17 pm

  Regardless of who screwed up, at least it’s in the open now. Unless you’re a big fan of “security through obscurity”, which the whole hush-hush was in the first place.

• Matt

  July 22nd, 2008 7:36 pm

  @Mike: They are backpedaling because they did in fact screw up. It’s what people who are big enough to admit they’ve made a mistake do.

• tonyn

  July 22nd, 2008 8:32 pm

  @Chris:
  >I would appreciate some info for the stoopid users.

  Very simply: DNS works by asking the next guy the number associated with a name, following a chain of links until someone know the answer, part of the answer or knows that the question is wrong. (E.g. a typo.)

  So a typical setup may be:
  Your PC/Mac asks your firewall/router, the firewall will pass questions to the ISP, and the ISP will ask a root server.

  Scenario #1
  An attacker will typically try to give wrong answers to the ISP, as that will get the users. (E.g. they want credit card numbers and want to steer people to a fake auction or web shop site.) If the ISP is not vulnerable then a determined attacker may still select individual ISP customers to try her attack.

  For protection you need your ISP to update their system, and you should probably check for firmware updates from your firewall/router vendor.

  Scenario #2
  The attacker has access to your local network. (Maybe you are on a college network or have WiFi running.) You are the target in this case. (You may also be similarly vulnerable to your ISP’s other customers, depending on their network configuration.)

  The Windows/Linux update protects your PC from this scenario.

  To be reasonably safe you need to do your local updates and your ISP also needs to do their bit.

  Business computer systems may be setup a little differently, and their principle concerns may not be credit card theives but interception of communications with trusted partners.

  ttfn

• Mike

  July 22nd, 2008 8:33 pm

  It’s not about whether or not it should have been open in the first place, it’s about Matasano’s lack of _integrity_.

• Mike

  July 22nd, 2008 8:33 pm

  @Matt: my problem is that they pawned it off like it was an accident, which I don’t buy.

• Scott Morrison

  July 22nd, 2008 8:54 pm

  This is new? I’ve read Halvar’s post, and it is a good read, but it’s not exactly new, is it?

  I tested sending additional RRs and glue to queries back in 2000, and was able to see that many caching resolvers would cache the additional data. It occurred to me then that spoofing replies with the requested data as well as unsolicited data could be a problem. But as a net admin, and not a DNS dev, I noted it and moved on.

  This is pretty much exactly what Halvar is describing, is it not?

  If an extra 16 bits of entropy is going to fix this, great, but I doubt it is.

• get a life

  July 22nd, 2008 9:30 pm

  noone cares, noone should really care that much. DNS vs Global Warming. DNS vs Malnutrition. DNS vs Floods and Hurricanes. DNS vs DJB. DNS vs Net Neutrality. DNS vs Wiretapping. DNS vs all the browser exploits you have. DNS vs inflation. DNS vs housing shortages. DNS vs the mess of discarded colonies. DNS vs *

• Details of major Internet flaw posted by accident | InfoWorld | News | 2008-07-22 | By Robert McMillan, IDG News Service

  July 22nd, 2008 9:33 pm

  […] Monday, Ptacek apologized to Kaminsky on his company blog. “We regret that it ran,” he wrote. “We removed it from the blog as […]

• Digital Yenta

  July 22nd, 2008 9:49 pm

  I’ve been reading this blog since:
  http://www.matasano.com/log/53/thanks-mjr/

  I think at the end of the day, Matasano was doing what Matasano does best: provoking the “community” into actually thinking about problems out load and openly.

  Personally I think it’s a great thing & always have.

  Maybe you jumped the gun, maybe you didn’t.

  I can’t really see the fault with yesterday’s blogpost.

  If Dan didn’t want anyone to know the details of the exploit prior to Blackhat, why would Dan say anything to Thomas?

  This wreaks of smokescreen to me. Kaminsky + Ptacek = incahoots?

  If there is indeed no hypebuilding conspiracy, then the least ya could do, is give Dan some love by sticking a link to his site under “People We Read”.

  but what do I know. I’m still hacking on my Adam.

• John

  July 22nd, 2008 10:05 pm

  What about DNS Servers behind a NAT device which doesn’t randomize the new source port? (Which from what I have read, is the majority.) Has anyone confirmed if this negates the patch and means we are just as vulnerable as we ever were?

• Matt

  July 22nd, 2008 10:14 pm

  @Mike: Yes, as I get older I believe more and more in people’s devious hidden agendas, but I am of the opinion they just pulled the trigger too early on this one, and that’s all.

• joeyb

  July 22nd, 2008 11:01 pm

  @ jf

  “well congrats, you guys managed to squeeze your name in on dan’s find and garner some of the press for yourself. Is this a matasano marketing technique? Attack whoever is in the news now as a means of getting in the news also?”

  this “accident” is worse than a marketing scheme gone bad, it’s the type of thing that i refer to when a highly public data loss occurs as an OEE (pronounced “Oy”- organizatinal ending event). whether matasano can endure the data loss is anyones guess, but i find it beyond inexcusable for an infosec research company to faciliate the very breaches that Dan worked very hard at attempting to protect..

• Thomas Ptacek

  July 22nd, 2008 11:13 pm

  Joey, it sucks that you think that, and I have no illusions that I’m going to change your mind. But I’m going to come back at you on the “bashing Kaminsky” comment, because it’s not true. Did I doubt Dan had a real new vulnerability, and not just a clever new exploit? Absolutely. Did I get set straight? Yes. I’ve respected Dan since his talk at Black Hat in ‘04 when he stored files in DNS caches.

  I think Dan has a right to feel like he took flak from me even after telling me what the vuln was. At this point, I’ve fumbled any moral authority I have to persist in those arguments. But I didn’t make them to hurt Dan’s feelings. He retains what is likely to be the best talk at Black Hat, though it’s his business to tell you why.

• Thomas Ptacek

  July 22nd, 2008 11:17 pm

  Matt:

  The goal, once I saw Halvar’s post, was to wait for Dan’s imminent confirmation (we expected a blog post from him) and post then.

  I was surprised that Dan continued to keep it quiet after Halvar posted, and even more surprised to see our draft had been published. It was a worst-case scenario for us.

  There are a lot of things I could have done differently to keep us out of this story, almost all of which I wish I did.

• marc

  July 22nd, 2008 11:41 pm

  so… you are a security company and you accidentally publish a post about one of the biggest secrets of the internet?

  ah! no! it’s just that “a post appeared on our blog”

  good work… (sarcasm)

• anon

  July 23rd, 2008 12:12 am

  Seriously, good work Tom (no sarcasm intended). We have all been desperate for news/confirmation regarding this and Dan has let the entire net community down. Whether or not your post was intentional (I doubt a man of your skill would screw this up accidentally), you did the right thing in releasing this information and breaking the monopoly Dan held on it. Kudos to you.

• anon

  July 23rd, 2008 12:34 am

  dan was playing god. now he’s not. it’s not good to play god. who does dan think he is?

• Rudd-O

  July 23rd, 2008 12:47 am

  1. Dan: “but we’re not exactly good at bringing in new kids and giving them a stage to be heard”

  Hmmm… I WONDER why that is… maybe it’s because the “new blood” is busy keeping their discoveries under wraps like someone else I am just becoming familiar with?

  Besides, it’s not like this info isn’t public knowledge now, so calling for “no technical info on this post” is preposterous, when Slashdot (100x the readership of this blog) already has the scoop.

  2. I knew it was WordPress. Matter of fact, I dunno if Error 99 triggered the early release of the post, but WP has had, in the past, information disclosure vulns.

  3. Jesse: “The bottom line in this case is pretty simple - If person Dan tells Thomas some information only because Thomas agrees to unconditional secrecy, then it’s really not up to Thomas.”.

  Please reread the first paragraph of my post.

  4. Finally: I’m willing to bet a few thousands of us had the text of the post saved, but I only see a few posts around the net with it. So I guess this campaign for obscurity (let’s call it for what it is) has simultaneously succeeded and failed.

  If anything, Thomas shouldn’t have promised secrecy to Dan in order to get the goods. It was probably a matter of reading the commits in BIND to figure it out. That way, Thomas wouldn’t have been obligated to secrecy in a matter that was bound, sooner or later, to hit the public.

• anon

  July 23rd, 2008 1:42 am

  Personally, I think the discovery should be attributed to Halvar, and that Dan should miss out on the credit. This is the only reasonable way in which we can ensure people don’t follow Dan’s greed in hoarding knowledge.

  In all scientific fields (including IT), it is the first to publish who gets the credit. There have been many cases where others have made discoveries first but missed out on the credit due to their greed (RSA algorithm for example). We need to send a clear message to those who do not believe knowledge is for all.

• tokumei

  July 23rd, 2008 2:47 am

  All of you self-proclaimed security experts that have been whining about how “Full Disclosure is the only method for good security” or how “Dan thinks he is God” are annoying as shit.

  You all have too big ego’s and are just upset that someone else found a serious vulnerability in the Internet’s infrastructure, and mostly because that person was not filling you in on the details for a mere 30 days.

  The argument that “we don’t have the exact details of the bug so I can’t assess whether I REALLY need to apply this patch or not” is a complete bullshit excuse and everyone knows it. That’s just the best lie that people can come up with to try to pressure Dan in to giving the details out earlier so that they don’t feel dumb or excluded.

  If every major IT vendor in the world, a creditable security researcher, and some of the most experienced and knowledgeable people about DNS are saying that this is a major issue than that should be enough reason to patch regardless of having exploit code handed to you and the rest of the world.

  Sure, there is a good chance that the infamous “bad guys” were able to figure it out before the 30 days, but if it takes all of the world’s best security researchers working together for 13 days to come up with an almost-right-answer, than it probably would take “the bad guys” some time as well. Security through obscurity is not good but it is certainly a layer of defense. I don’t know how some people here(Esser?) can claim that giving out point-and-click exploit code provides a better defense..

  and since when did Halvar rediscover this? Was his guess 100% accurate…???

  @Tom
  Either the people at matasano are completely ignorant with computers or you posted the details on purpose… If you were so careful about not hitting the “russian roulette” you would have noticed that you posted it the second after it happened and removed it within 30 seconds. 30 minutes of “not noticing” is ridiculous… just enough time to have everyone’s RSS readers download it and enough time to act like it was an accident.

  @Dan
  I think the way you handled everything was great and I am sure there are many many sane people out there that are very grateful for your efforts. (Although you managed to piss off all of the security kiddies in the world.)
  The only thing you fucked up was that you gave into peer pressure and let out the details. If only you could have hold your ground, you could have had more than 13 days…

• Thomas Ptacek

  July 23rd, 2008 2:52 am

  The post was up for far less than that.

• anonymous

  July 23rd, 2008 4:33 am

  Funny thing is that OpenBSD doesn’t look forward to patch bind, since they say that ugly pf+nat hack could fix this.
  Why didn’t these monkeys get nominated for pwnie awards???

• jf

  July 23rd, 2008 5:16 am

  I really don’t follow the ’security through obscurity’ comments, or how this was being kept secret exactly, I mean it’s not that incredibly hard to diff the two versions of bind which shows you what was changed, then its off to the RFCs and some creative thinking. The arguments that I’ve heard about how people have these customers and need more details to judge severity seem misguided at best, if every vendor tells you to patch now, and you can’t figure it out on your own via diffs/et cetera, what can anyone really tell you thats going to help you?

  Even more, I don’t recall seeing an advisory from Dan, just a bunch of advisories from the vendors crediting him with a bug find. He never went ape-shit posting places, so I don’t see how everyones (over)reaction can be put on him. Sure, I think its silly (and futile) to ask people to not investigate it themselves, but its not like anyone asking for such things has ever gained any traction in the past (and typically inspires the polar opposite), so why all the fuss?

  As for this (the leak) being an organization ending event, I think thats pretty much not going to happen, and its pretty absurd to consider that anything anyone could say would have that big of an impact.

• ghe

  July 23rd, 2008 5:52 am

  This has turned into a circus/publicity clusterf**k.

  First of all, once the information (and by extension, class attack) is out, it is out. You may contain it for a while but in the end, it will spread to everyone. I, for one, got the full Monty from a link contained in a comment in this blog …

  What makes you think that only Halvar was able to deduce this information? Is this not a sign of arrogance? Do you really guys think it is still 1995 (as conveniently written in the now retired blog post?) and that the world of network security research is still a closed self-centered social club? Let me let you in into some news for you:
  MOST OF YOU (us, if you prefer) do not have a clue what is the current level of security research in countries like China, India, Russia or in non-state actors, yet you create a storm (someone is calling this a OEE, for crying out loud) in a teacup for what? That “evil” Matasano spoiled (maybe by a bona fide mistake, maybe by something more nefarious, I cannot speculate) the exclusivity for the conference brigade?

  Give everyone a break please and let’s get the patches out there

• tyme

  July 23rd, 2008 8:15 am

  @luke

  I don’t think that’s the same cat.

  @scott morrison

  Try to find a copy of the original Matasano post. Digging through the comments in the slashdot thread might get you a working link, or at least a re-phrasing by someone else. Havlar says on his own blog that “[he] was close… but no cigar.”

• Dan

  July 23rd, 2008 9:37 am

  What moral am I supposed to take away from all this?

  Suppose a fellow is telling the world “please, update your critical infrastructure, fast.” Then I’m there talking to the media saying “no, no, don’t bother, it’s probably nothing major.” So that fellow confidentially tells me the details, because I’m seriously undermining his attempts to protect the public. And so I get more media attention when I say “oh, he means it folks.”

  And then when I accidentally spill the beans I get yet more publicity.

  Seriously, what lesson does that teach? “Being an ass is rewarded” sums it up nicely for me. I could’ve just kept my big fat mouth shut at the start, but then I wouldn’t have gotten media attention and lots of blog comments.

  I’m not sure what I want. Unlike some other commenters above, I really don’t think this is an OEE, and I’m not sure it should be.

  Thomas will give many more mea culpas, but I see absolutely no reason for someone else not to follow this exact same path. Sure, he *says* he’s sorry, and I believe he is, but he and M’tso will only benefit from all this. In a few months no customers are going to remember the details, just that they heard about the company during that DNS kerfuffle a while back.

  Again, I’m not sure what I want to see happen. Maybe it’s just the way our industry is, which is a pretty sad commentary. It gets harder and harder to keep one’s moral compass.

• Luke

  July 23rd, 2008 9:48 am

  @tyme

  Duly noted. I read “Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2,” from said post and this, “[r]ecent additional research into these issues and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques” and just drew my thoughts back to combining attacks and had a brain bubble.

• John McDonald

  July 23rd, 2008 12:05 pm

  Chin up guys..

  Obviously this was an epic fuck-up, but I don’t think anyone really believes that you guys would suddenly trade away a combined 4 or 5 man-decades of credibility for a 5-minute press bump.

  Well, Dan probably believes it, but he’ll eventually get over it. Besides, he’s probably got a few more design bugs in 30-year old protocols left in his career. :>

• Thomas Ptacek

  July 23rd, 2008 12:09 pm

  Thanks, John. We appreciate it. Right now, we’re just keeping our heads in the game and busting up the software in our projects. It’s cathartic.

Leave a reply

name (required)

email ( will not be shown ) (required)

website