Sadly, no idea.

Hi Dan!!

Never met ya, heard some of your talks, and you seem like a hoopy frood. If by some weird, strange accident we ever hang out at RSA or defcon, the first three rounds on are me.

I didn’t ask what people “can” do. I’m talking about what they are doing.

ha ha ha

@Shaddack hates all things Apple. He’s not going to know.

It was in the back of my head when I posted, but it’s always worth asking. I wasn’t trying to get in the way of your fight either. I disagree with both of you on occasion, but I’m not getting in the middle of this one. Carry on.

It isn’t a fight really.

He can say “Oh, you can do this or this or this” all he wants. Meanwhile, everyone and their brother in ops at every company worth its salt is scrambling to patch things quickly. I know my guys at work were working hard this week.

Sorry. I was probably taking too broad a view there.

Every time this sort of thing comes up, I find myself wondering if there’s something obvious I’m missing. In the physical world, I have have physical locks guarding my front door, my banks safety deposit box, and the property I share with 300 million other citizens. And if by chance one of those locks should fall to a determined bad guy, there is some kind of procedure in place to go after them. There’s at least a token deterrent in the form of the police. (Yeah, I know whaty chances are of getting my stolen car returned or my burgled stuff back, but the principle is there at least)

In the computer realm, it appears that all the security is wrapped up in the locks, and if they should fall to a determined attacker, there is no deterrent, no investigation possible, it’s like a jaw-droppingly wild west free for all. It’s still galls me that the baddies who tried to short airline shares in advance of 9/11 have not been tracked down. Is the their opsec really just that good? Or is it just a matter of no one having enough jurisdiction to follow the data?

If a bitcoin heist can be tracked in real time, how is it that 419 scammers can receive conventional money from their marks without fear of getting caught? I’m not whining just to whine, I really would love to know what makes it so dangerous out there.

It’s as if the pirates were the only ones with boats, and no one had ever thought to invent a Navy yet.
what gives?

I wonder how you will patch an embedded printserver box without source that the manufacturer did not release new firmware for. Or an aging ebook reader with wifi and the same problem. Or a “smart” TV. Or that odd random IoT thingy.

Mitigation has its uses, too.

Your security in the real world depends on a law enforcement system and courts. Jurisdiction is generally clear. Not so on the Internet. Laws and rights and so on exist by territory not by IP block.

#YAWN.

“Terrifying?” Really? Don’t we get enough fearmongering from our politicians already?

Meh. Another day, another DNS bug remediated. Progress continues to be made, slowly, towards a secured distributed global name resolution infrastructure. Much remains to be done.

@Dan_Kaminsky, you’re a fine researcher, and I do appreciate the way you’ve managed to get publicity for long-standing DNS issues that people like DJB weren’t able to get into the press, but don’t you ever get tired of these scare headlines?

This is not a YAWN

This is a PAY ATTENTION, GET INFORMED, REMEDIATE ASAP

Google’s already got remote code execution working with this one (on boxes with NX/ASLR enabled). That’s terrifying.

This is a bug in every unpatched Linux distro from the last 8 years that uses glibc. That’s a whole bunch of things. This is a bug in a call in glibc that’s used all over the place. When you can get stack buffer overflows in Perl, Python, Ruby, Java, JS, Haskell, sudo, MySQL, and Apache that’s bad. When that’s actually a really short list out of a far more extensive one it’s really bad. That’s widespread.

Admins need to know that they need to remediate this beast rapidly, and if it takes scaring them into recognizing that this is one to pay attention to, that’s okay by me. The alternative is admins that don’t pay attention and leave hosts that get pwn3d and at best wind up serving in botnets that add yet another layer of terrifying, widespread internet breakage.

I remediated it before it went public, across two sites and my home network. Hell, I’ve already patched the glibcs on all the non-production non-DNS servers at this point, and will have finished the production ones by this weekend.

Yawn yawn. This crap happens all the time. It’s not terrifying. And if somebody needs to be terrified in order to promptly apply an important patch, frankly they are already unsuited to their level of responsibility, and scaring them isn’t going to work for ever. It’s unlikely to do any good in the long run.

EDIT: The Cisco ASA vulnerability is a lot more annoying; if you patch up to date in order to avoid it, your portal stops working for SMB file transfers. Hmmm, permit a known exploitable remote vulnerability or make a mission-critical box completely unable to perform a primary function? What do you think the pointy-haired bosses will say to that? Makes glibc bugs that have working patches available seem a lot less than “terrifying”.

Who uses those?

Windows shops?

I’m pretty sure the ASA is running linux - let me check - ayup.

Windows shops are moving to RDS these days, which might cut into ASA sales a bit. HyperV licensing is so dirt cheap that better virtualization environments don’t make good financial sense, and you can run your RDS cluster out of a hyperV backend. But there are ridiculous numbers of ASAs out there running site-to-site and ad-hoc VPNs and providing enterprise firewalling (sometimes, all in the same box) so their decreasing use as web portals won’t have a huge impact.

The CVSS on the ASA vulnerability is a TEN, just like the glibc bug, but here we are ten days after the ASA bug announcement and there’s no patch that doesn’t break something else*. I think that’s a bit more worrisome than a glibc bug that’s trivially patchable, personally. Especially when you realize that rebooting DNS servers is something you can do while they are in use, the clients will just fail over to another server transparently - but that’s not true of ASAs.

(But I’m still not terrified of the ASA bug either, I’m just mightily annoyed.)

*Edit: we have 9.4(2.6) running now which seems to be working.

I didnt have enough time to read before I left the office last night but someone was mentioning that the relevant CVE of the ASA problem has been updated and may require admins to update again.

As you say, these things arent about being terrified, its just BAU.

However, this glibc issue could certainly be ulcer causing for some admins who have business systems which “can’t” be patched/rebooted and or scheduling downtime is near impossible.

One of my cow-orkers found a working ASA version (or at least, one where none of the bugs affect us).     9.4(2.6) has the IKE code patched, doesn’t have the “unicorn” bug, and doesn’t have this new SMB problem that the more recent version has. But yeah, there could be more in the pipe, and Cisco is definitely working on the 9.5 version right now.

That’s true. The Gnu C Library supports a lot more than just DNS services. For DNS servers, though, you can always reboot any time - unless you haven’t implemented the standardized redundant, geographically dispersed and fault tolerant architecture that DNS is always supposed to have. Your clients have three DNS servers they know about (or two, if you are a really really small network) and you wait for each one to come back up before you reboot the next one. Nobody notices it even happened.

This topic was automatically closed after 5 days. New replies are no longer allowed.