Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
ISC and Bind to betray full disclosure?

By Miniluv in Internet
Thu Feb 01, 2001 at 08:20:24 AM EST
Tags: Security (all tags)
Security

As many of us here know BIND is one of the core services on the Internet. By far the most popular DNS server for Unix and it's variants, BIND servers a staggering number of requests every second in aggregate. Today Paul Vixie, a long time BIND developer, chairman of the ISC and senior executive and Metromedia Fiber, a US Tier 1 network services provider, sent an email to the bind-announce mailing list.


Below is a copy of the email as posted to Bugtraq by Theo DeRaadt of the OpenBSD project.

To: bind-announce@isc.org
Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
Date: Wed, 31 Jan 2001 09:36:02 -0800
From: Paul A Vixie <Paul_Vixie@isc.org>
X-Approved-By: Ruth.Anne.Ladue@nominum.com
X-original-sender: Paul_Vixie@ISC.Org
X-List-ID: <bind-announce.isc.org>
X-DCC-MAPS-Metrics: isrv3.isc.org 668; IP=0/633557 env_From=0/3494
        From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453
        Body=0/3451 Fuz1=0/3451

ISC has historically depended upon the "bind-workers" mailing list, and
CERT advisories, to notify vendors of potential or actual security flaws
in its BIND package.  Recent events have very clearly shown that there is
a need for a fee-based membership forum consisting only of:

        1. ISC itself
        2. Vendors who include BIND in their products
        3. Root and TLD name server operators
        4. Other qualified parties (at ISC's discretion)

Requirements of bind-members will be:

        1. Not-for-profit members can have their fees waived
        2. Use of PGP (or possibly S/MIME) will be mandatory
        3. Members will receive information security training
        4. Members will sign strong nondisclosure agreements

Features and benefits of "bind-members" status will include:

        1. Private access to the CVS pool where bind4, bind8 and bind9 live
        2. Reception of early warnings of security or other important flaws
        3. Periodic in-person meetings, probably at IETF's conference sites
        4. Participation on the bind-members mailing list

If you are a BIND vendor, root or TLD server operator, or other interested
party, I urge you to seek management approval for entry into this forum, and
then either contact, or have a responsible party contact, isc-info@isc.org.

Paul Vixie
Chairman
ISC
In separate emails to the NANOG mailing list Paul has clarified that this does not mean nobody gets all the info, merely that a certain class of people will get it in advance of the unwashed masses.

I'm personally against this in the respect that this will include notification of a bug fixes. The bug recently released was only done after the root level servers were updated with the patched versions of BIND. While I remain sympathetic to the need for doing everything possible to ensure the integrity of the root servers, I wonder if it isn't possible to serve both goals more effectively.

What this appears to be is another layer between the masses and the vendors in what is becoming a faster and faster cycle of vulnerability discovery and exploit release. Is anybody really well served by slowing things down by even another 12-24 hours, let alone the several days that this closed list might involve?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
This list is a...
o Good idea 10%
o Horrible Idea 41%
o Paul Vixie should rot in hell 26%
o What's the big deal? 10%
o Let's ask Inoshiro...he'll know... 11%

Votes: 60
Results | Other Polls

Related Links
o BIND
o ISC
o Metromedia Fiber
o Bugtraq
o OpenBSD
o NANOG
o bug
o Also by Miniluv


Display: Sort:
ISC and Bind to betray full disclosure? | 30 comments (25 topical, 5 editorial, 0 hidden)
(4.09 / 11) (#6)
by Moneo on Thu Feb 01, 2001 at 03:28:26 AM EST

Since hearing about the recent holes, I've been vacillating between upgrading to BIND 9 or learning a new syntax/setup and switching over to djbdns. I think I'm going to switch to djbdns, both because it's more secure and because I don't like the implications of this email.
Recent events have very clearly shown that there is a need for a fee-based membership forum [..]

Can anybody explain this to me? What events have created a need for a "membership forum", and how?

I can understand why they would wait until after the root servers had been updated to release a bug fix -- their integrity, as Miniluv points out, should certainly be very high priority. That aside, though, I don't see any real reason to limit the availability of bugfixes or the awareness of exploits. In fact, it seems to me like it's encouraging security through obscurity. Admins might become more complacent about BIND holes simply because they assume that fewer people will hear about them, or that people will hear about them later. BIND is buggy, people. Accept it, admit it. And realize that those of us who manage it need to be aware of (and frightened by) possibel security holes.

Anyway, those are my initial reactions. More later once the discussion fires up a bit.
Propaganda plays the same role in a democracy as violence does in a dictatorship. -- Noam Chomsky

at least bind is free software (3.80 / 5) (#12)
by danny on Thu Feb 01, 2001 at 08:11:36 AM EST

djbdns is not free software... a bigger concern in my mind than lack of full disclosure.

Danny.
[900 book reviews and other stuff]
[ Parent ]

It is Free Software ... there's a catch though (3.00 / 5) (#16)
by nictamer on Thu Feb 01, 2001 at 10:25:28 AM EST

You can modify it, redistribute it, use it at will ... but it IS annoying to comply with his restriction. IOW you have to use patches to publish changes instead of publishing the modified package (much like the first Qt-open source license)

That said, this catch gets minor once you begin to consider how much of sorry bloated excuse for software any version of Bind is.

djbdns weighs 1/10th, takes 1/100th memory, has 1/1000th of the bugs and 1/10000th of the security issues.


--
Religion is for sheep.
[ Parent ]
Free vs. Disclosure (3.00 / 1) (#26)
by burbs on Thu Feb 01, 2001 at 06:47:14 PM EST

I'd rather PAY to not have to worry about Paul Vixie and ISC's next scheduled screwup than worry about whether or not the software I am using is freely distributable or not. With djbdns, you CAN look at the source. This means you CAN make changes. So you can't just patch the source and then give your version out to the rest of the world. Wah.

I think Profeesor Bernstein's a smart enough guy to consider each and every change handed to him. After all he wrote software that WORKS as it should wihtout tens of security flaws, unlike Vixie and crew.

This week I am removing BIND from my network in its entirety. I've already dropped Sendmail, and the next things to go are inetd and xinetd in favor of tcpserver. I hope Dan writes a DHCP implementation so I don't have to use ISC's bloated DHCP server. Already I feel safer with Sendmail out of the way, and can't wait to kick BIND's ass out the back door as well.

Face it folks, just because BIND has been around the longest doesn't mean it's the best.

For the uninformed, Dan J. Bernstein's site is located http://cr.yp.to.

...Burbs

[ Parent ]
Bernstein's software (4.00 / 3) (#22)
by trhurler on Thu Feb 01, 2001 at 04:11:48 PM EST

If there is one hole in a piece of software, then it is no more secure than if there are a million - close only counts in horseshoes and hand grenades, and certainly does not count in computer security. Mr. Bernstein's DNS program, along with his other "secure" software, such as qmail, is certainly smaller, cleaner, and all around better than much of what it aspires to replace. However, since no significant number of talented programmers have actually looked at any of it, his security "guarantee" is worthless; even the best programmers make mistakes, and the odds that there are none in the thousands of lines of code that comprise his software are about the same as the odds that I'm going to die before I finish typing this sentence.

Why do Bernstein's programs not see wider attention? Several reasons. One, most people aren't aware of them. Two, nobody too important is using them, so there's not much incentive to attack them. Three, few or no significant vendors ship them, so there's no vendor attention. Four, Bernstein's redistribution policy makes his software unattractive to the vast majority of free software people, whether they be GPL or BSD fans, and makes development work on his software unreasonably difficult. Five, the people most likely to actually do a real security audit of any given software already have done audits and improvements of in house versions of things like BIND and sendmail, so why bother?

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Finding a bug in djbdns might be useful (3.33 / 3) (#28)
by goonie on Thu Feb 01, 2001 at 08:17:18 PM EST

. . . to teach Mr Bernstein to be less arrogant ;-)

[ Parent ]
alternatives to bind (3.40 / 10) (#7)
by SEAL on Thu Feb 01, 2001 at 04:20:41 AM EST

First, let me say that I am firmly against Paul Vixie's email. This is just an excuse to collect more money. Recent events (like the latest bind exploit) haven't led to this. I believe recent events tell us that maybe it's time to rethink dns software because bind has become too unwieldy to maintain in a secure fashion.

I've heard a lot of people mention djbdns on here and Slashdot. Dents is another DNS project that's been in development for awhile. Things are eerily quiet - I'm not sure if it is still in active development or not. However, it is GPL'd, unlike djbdns. Who knows... maybe someone will get this project moving again.

- SEAL

It's only after we've lost everything that we're free to do anything.

Conflicting allegations toward Vixie? (4.00 / 11) (#8)
by ti dave on Thu Feb 01, 2001 at 04:40:50 AM EST

Point 1:
"Paul has clarified that this does not mean nobody gets all the info, merely that a certain class of people will get it in advance of the unwashed masses."

Point 2:
"4. Members will sign strong nondisclosure agreements"

I would like to see this resolved.
Notice that Vixie doesn't state
"strong SOME-disclosure agreements". To me "Nondisclosure" means "Nothing Revealed".

ti_dave



"If you dial," Iran said, eyes open and watching, "for greater venom, then I'll dial the same."

Other emails (4.50 / 4) (#9)
by Miniluv on Thu Feb 01, 2001 at 04:47:16 AM EST

Paul made the former statement after the latter, in order of your citations, in multiple emails. The former was in the cited email to bind-announce, the other was on NANOG.

My understanding of what he's trying to do is to push the information out in stages so that the "priority" servers are updated first. I guess this might be absolutely horrific in concept, I suspect the practice will suck.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'
[ Parent ]

Nondisclosure agreements can be temporary... (4.50 / 2) (#27)
by seebs on Thu Feb 01, 2001 at 07:45:09 PM EST

For instance, I signed a strong NDA when I was beta testing Virtual PC version 4. The NDA is now "over"; I can tell you, without fear of retribution, that there exists a new version of Virtual PC.

So, if I'm in the "special" group, I hear about the bug *right away*, the moment anyone suspects it exists. I am prohibited from, say, posting about it on slashdot, or other script kiddie hangouts, until the fix is released.

*THAT* is all the NDA does. After the fix is out, it's *out*. It's published, source is provided, CERT sends advisories. Everything happens just like it does now.

The difference is that, being a vendor with hundreds of thousands of installed boxes, I'm allowed to find out *sooner*, so that, by the time the bug announcement (with patch) comes out, *I already have the patch ready to go*.


[ Parent ]
Is this quite as evil as it sounds? (4.41 / 12) (#10)
by goonie on Thu Feb 01, 2001 at 06:03:01 AM EST

I'm not quite ready to blast Mr Vixie yet. The trouble with BIND is it is mission-critical for basically the entire internet, so disabling it or firewalling it while a fix is found just isn't an option. The only choice is to leave servers with a security hole running until the hole is patched.

Therefore, I don't see it as entirely unreasonable for a core group of people be able to discuss security holes in secret so that a patch can be made before an exploit reaches the wild. True, it's only a hope that the good guys discover the hole before the bad guys do, but it's the best we can do.

There is plenty of precedent for keeping security holes secret while a fix is made - Alan and Linus did it several times. What keeps people from complaining in the Linux kernel cases was that patches came out very quickly after bugs were discovered. If BIND wants to maintain the same reputation, the same will have to occur.

However, IMHO any secret mailing list should be strictly limited in scope to security bugs. Once a patch or workaround is available and has been successfully applied to critical root servers, the bug and patch *must* be promptly disclosed.

The one thing that does really concern me, however, is the "membership fee". The costs of running the facilities discussed in the system are negligible. By the sounds of it, only core developers and distributors will be on the list anyway. Why charge a membership fee and be suspected of running this as a for-profit exercise?

Incidentally, it is amusing to note who posted the notice to bugtraq. Mr De Raadt, for all his undoubted programming skills, isn't reknowned for being a subtle diplomat

A possible reason (4.33 / 6) (#11)
by tftp on Thu Feb 01, 2001 at 06:29:41 AM EST

Why charge a membership fee and be suspected of running this as a for-profit exercise?

It can be intended just as a filter. Serious network providers can't care less about few thousand dollars per year for yet another subscription. They earn this money in fraction of a second. However very few script kiddies will want to pay for the privilege. A specific attack against DNS could seriously damage the network, that's where this idea comes from.

It was mentioned by another person that security through obscurity does not work. However one has to use all available tools to achieve highest possible security. Your door lock won't protect against a crowbar or a stolen key, but you lock the door anyway - why? Because the lock is just another tiny barrier the intruder has to go through. Put enough barriers and this will delay or foil the attack. The idea is that security through obscurity does not work in long run, when the attacker has time to analyze the system or send a spy to learn how it works. But this says nothing about short-term efficiency.

I also believe that the income from this mailing list will barely cover its cost, such as just one person to manage keys, mailings, NDAs etc.

[ Parent ]

I think it's a joke (3.66 / 3) (#21)
by SEAL on Thu Feb 01, 2001 at 01:32:41 PM EST

However very few script kiddies will want to pay for the privilege.

Very few warez d00ds want to pay for software. Yet this software mysteriously appears on zero day sites where they can all access it for free.

Same goes for the exploit world. I can almost guarantee that someone on that mailing list will leak the information to the underground. This will be swiftly distributed amongst that crowd.

The end result is:

a) The script kiddies will still abuse the vulnerabilities.

b) Of the non-underground, only Vixie's paying customers will have the information they need to protect themselves.

Shame on you Paul.

- SEAL

It's only after we've lost everything that we're free to do anything.
[ Parent ]

Forget alternatives to BIND . . . (3.00 / 7) (#13)
by hardburn on Thu Feb 01, 2001 at 09:46:15 AM EST

. . . How about alternatives to DNS? The entire Internet relys more or less on a few root servers. I'm making one based on Freenet under the Everything Over Freenet (EOF) project (although right now the DNS part of our web page is down).

Preliminary documentation on this is at <a href="http://sourceforge.net/docman/display_doc.php?docid=2162&group_id=15579>http://sourceforge.net/docman/display_doc.php?docid=2162&group_id=15579 (which is badly out of date). Jim Gallagher (he's in the middle of the list) will be speaking at the O'Reilly Peer to Peer conference on this as well. His presentation will actualy be about DNS with P2P in general, but he contacted me about my project and will be mentioning it.

Theres some code in EOF's CVS repository for the DNS section, but I haven't had much time in the last few weeks to do anything with it (new semester at school, need to let things settle down before I get back to coding).

FNS (Freenet Name Service) works by taking in a DNS request as normal (and thus can be pluged into any network and work with existing clients), then requests a key on Freenet for the proper DNS records based on the addresses asked for by the client. It then parses the file returned and sends back the info to the client, again over regular DNS protocols.

[/plug type=shameless]


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


Must use "preview" more carefuly (2.66 / 3) (#14)
by hardburn on Thu Feb 01, 2001 at 09:47:56 AM EST

I just screwed that link up. It should be like this: http://sourceforge.net/docman/display_doc.php?docid=2162&group_id=15579.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
Issues with given implementation (3.50 / 2) (#18)
by oierw on Thu Feb 01, 2001 at 11:48:00 AM EST

I quickly read through how it would work and I just had a few problems.
First, it's KSK based. To quote Oskar on freenet-dev, "For fucks sake people, YOU DON'T LINK TO KSKS! It's fucking nuts!".
Secondly, anyone can steal a name for a period of time. You have a system where you trust every user, becuase it's KSK based. If you do what Benjamin Coates did with his KeyIndex.txt redirect, he first redirects KeyIndex.txt to a SSK. The key in the SSK is the date-based redirect which points to the actual file. The system is more secure than doing it purely in KSKs.
I know there's a third part, probably about name hogging and such, but I've got to run so I can't think it through. :p

-Mathew

[ Parent ]

I know about those limitations (2.00 / 1) (#23)
by hardburn on Thu Feb 01, 2001 at 04:29:55 PM EST

I know about those limitations. Like I said, the orginal document is badly out of date. It already uses KSKs redirected to CHKs, but thats not good enough; it needs a KSK redirected to a subspace. I am planning on implementing this in the second public release (the first will just be proof-of-concept).

I have a document about just how I plan on doing this. I'll get it into the CVS soon (and post it to Freenet-devel).


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
Fee (4.12 / 8) (#15)
by finial on Thu Feb 01, 2001 at 10:18:04 AM EST

I think I understand the rationale behind this. I'm not sure I agree with it yet, but I do understand it. But one thing I don't understand is:
there is a need for a fee-based membership forum
What does "fee based" have to do with anything? What is that "need?" Maybe I just don't get it, but can you not have all of those same conditions, requirements and features without the fee? It's a mailing list and CVS access. What does the ability or inability to pay a fee denote?

I see no problem here... (3.62 / 8) (#17)
by seebs on Thu Feb 01, 2001 at 10:58:15 AM EST

Since I work with a vendor (BSDi) who might well be part of such an organization if one were available...

If we knew a day or two early, by the time everyone wrote in asking for patches, we'd *have* them. As is, we've got a day or so of lag during which we *don't* have a patch.

Yes, I think it's useful to have people with a "need to know" able to get access sooner than everyone else; we have to do a lot more work to respond to the advisory than the rest of y'all.

As an end user, I have no complaints; I get the same data at the same *relative* time, which is "about the same time as everyone else".


Ignorance is bliss (2.33 / 3) (#19)
by MoxFulder on Thu Feb 01, 2001 at 12:56:43 PM EST

Your argument here seems to be basically "ignorance is bliss" ... until someone tells that your software need a patch, you don't really need it!

I'm not sure if this is a good assumption for things like security patches and bug fixes ... if malicious crackers find out about a security hole along with the "need to know" group, but ahead of the general public, this gives them a window of opportunity in which to wreak havoc!

"If good things lasted forever, would we realize how special they are?"
--Calvin and Hobbes


[ Parent ]
not exactly (3.33 / 3) (#25)
by darkuncle on Thu Feb 01, 2001 at 06:10:20 PM EST

the argument is not "ignorance is bliss" - the argument is that it is in the overall best interests of the Net populace for certain segments of that populace to have a chance to patch holes BEFORE the black hats have a chance to write exploits. If you carefully read Paul Vixie's original post and follow-up on BUGTRAQ, you will see that the bind-members list is not just a "pay the cash, get on the list" setup - membership submissions will be reviewed, and not just any blackhat with the money for the fee will be allowed to join.
To answer your second objection - malicious crackers (there's another kind?) ALREADY find out about the security risk along with the "need to know" group, which finds out at the same time as the rest of the world (well, in this particular case, Vixie announced to NANOG on Friday night that a new version was out, and the public wasn't made aware until Monday). You're making a false distinction between the way things operate now and the way they would operate in light of the proposed new system - first of all, black hats are NOT likely to get onto the bind-members list, unless it's a Neo type of situation ("you seem to be living two lives ..."); secondly, black hats currently get their information at the same time as vendors and code maintainers, giving them "a windows of opportunity in which to wreak havoc" until the vendors and maintainers have written, tested and released a patch. Which is exactly the same effect as we would have if a black hat got hold of advance notice information from the bind-members list.
In short, the worst that would happen with this list is that we would get no benefit - the bad guys and the good guys would find out about bugs at the same time, with the public finding out when a patch is ready. This is no worse than the public finding out at the same time as the good/bad guys, but not being able to do a damn thing about it. That's the worst-case scenario, assuming black hats infiltrate the list. Best case scenario is that list membership is tightly controlled, and those responsible have a chance to write patches BEFORE exploits start moving around IRC.
illum oportet crescere me autem minui
[ Parent ]
Security Issues (3.85 / 7) (#20)
by MrAcheson on Thu Feb 01, 2001 at 01:27:08 PM EST

Seems like I remember someone recently saying that full public disclosure at the moment of bug discovery is a bad idea. What essentially happens is that it gives the black hats on the public list time to exploit the bug (a bug they probably didn't know about until it was announced) before people can get a patch written. The alternative it sounds like BIND is using is to release the bug information to a small secure list of the individuals who are the most important/influential/at risk. Then the rest of the world gets to know when the patch is released or when the bug seems to be exploited in the wild.

I suppose the tight security and perhaps even the fee are there to prevent the wrong people having access to the information too soon.


These opinions do not represent those of the US Army, DoD, or US Government.


ISA/Nominum response on Bugtraq (4.80 / 5) (#24)
by Miniluv on Thu Feb 01, 2001 at 05:08:53 PM EST

To remove some of the fuel from the fire two people from the ISC/Nominum organization have responded to the very public allegations made, both originally by Theo and separately by Dragos Ruiu, that BIND was moving to closed source and/or non-full disclosure.

Paul states, "(there is no plan to stop doing what isc has always done, which is work with cert to propagate security information to the public in responsible ways. but, isc also needs direct relationships to the vendors involved. this is it.)" which sounds pretty reasonable to me. This is a definite, in my perspective, change in tone from the original announcement. I think perhaps that Mr. Vixie wrote the announcement to pass ISC/Nominum "management" review, and thus it came out in dry beauracratese without remembering or fully understanding the likely public reaction to such a notice.

As people have made clear the DNS infrastructure is, at this point, really very exposed and I applaud the choice to upgrade the root servers before the announcement in order to safeguard their security. What I think it might be time for is a mass call for a new project to provide an alternative to BIND8/9. Not because BIND isn't capable, but because a world with just one product isn't a world worth venturing into. DJBDNS is not, in my opinion, an option because Dan Bernstein refuses to put a license on it that at least tells us what our rights are. If he would GPL/BSD/Microsoft license it we know where we stand, and while I would prefer he open source it and allow redistribution, I would understand and support his choice if he doesn't.

"Its like someone opened my mouth and stuck a fistful of herbs in it." - Tamio Kageyama, Iron Chef 'Battle Eggplant'

djbdns (none / 0) (#30)
by jjp22 on Sat Feb 10, 2001 at 11:08:05 PM EST

DJBDNS is not, in my opinion, an option because Dan Bernstein refuses to put a license on it that at least tells us what our rights are.

There may be reasons to not use djbdns (although I use it quite happily) but this is certainly not one of them. Dan Berstein explicitly addresses this. If you can't be bothered to read the whole thing he says, "If you think you need a license from the copyright holder, you've been bamboozled by Microsoft. As long as you're not distributing the software, you have nothing to worry about."

[ Parent ]
Mixed views... (4.25 / 4) (#29)
by pak21 on Fri Feb 02, 2001 at 04:35:04 AM EST

In principle, I don't think this is that bad an idea: if the big DNS servers have to go down when the next security hole is found in BIND, the Internet as we know it will basically be dead. Therefore I don't have too much of a problem with a closed mailing list so the crucial servers can be patched early.

However... I've yet to see a really convincing argument as to why it needs to be "fee-based". The issue of keeping the black hats off the list is a matter of reviewing membership, which (I believe) is going to be done anyway. If the fee is set high enough that it will make it difficult for black hats to get onto the list, even if they somehow pass the review process, this list will be taking in a significant amount of money... yes, there are some admin costs, but they won't be that high. So, to me, this looks like a good idea, but tainted by an impression of money grabbing... or am I missing something?



ISC and Bind to betray full disclosure? | 30 comments (25 topical, 5 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!