Re: [ga] Re: Massive, Coordinated Patch To the DNS Released

[George Kirikos <gkirikos@xxxxxxxxx>]

Hi Stephane,

--- Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
> On Tue, Jul 08, 2008 at 01:02:22PM -0700,
>  George Kirikos <gkirikos@xxxxxxxxx> wrote 
>  a message of 33 lines which said:
> 
> > This is exactly why registry operators should NEVER be judge, jury
> and
> > executioners when it comes to alleged domain abuse, as they could
> > inflict damage upon innocent victims. Read the advisory --- ANY
> name
> > server (and thus all the domains on that nameserver) could have
> been
> > compromised.
> 
> Read the real advisory (not the Slashdot article) yourself: the
> vulnerability is on recursive name servers, not on the authoritative
> ones.
> 
> http://www.kb.cert.org/vuls/id/800113

I did read the real advisory. The fact remains, often the vigilantes
who accuse people of abuse shoot first and ask questions later, and
that security vulnerabilities can remain secret for quite some time. If
they saw a phishing attack on a domain, etc., they often will not have
checked that maybe their own ISP's nameservers were compromised, or
that there was an unpatched vendor flaw, one that perhaps was yet to be
disclosed. With vigilantes, one is presumed "guilty" until proven
innocent, when due process would work the other way around.

See for example:

http://www.infoworld.com/article/07/05/18/21OPsecadvise_1.html
http://www.paulgraham.com/spamhausblacklist.html

"Blacklists have a structural flaw: there is no one to watch the
watchers."

in the context of spam and real-time block lists.

There will ALWAYS be security issues that affect innocent domain
registrants. Do a search in Google for "BIND security updates" or
"Apache security updates" or "PHP security updates" or "wordpress
security updates", etc. --- should domain registrants fear losing their
domain, entirely at the discretion of the registry operator, when these
things happen, without any due process? I say "No."

Sincerely,

George Kirikos
http://www.kirikos.com/