Re: [ga] Vixies vixens make big boo boo on successful Russian DNS hack

[Thomas Baxter <baxtertms@xxxxxxxxx>]

 More self agrandisements, Joe. 

Oh Joe, did you pay the CDN $40k to those police man that sued you for slander 
in Ontario? Oh, but I guess that any one who calls themselfs "Internet God" cant
brag too much?


From http://www.angelfire.com/ca2/defamation/liability.html
...
"The issue of ISP liability has also arisen in Canada. For example,
where the original authors may be judgment proof, the plaintiff could
seek a remedy from an intermediary. For example, in Fantino v. Baptista,
an Ontario policeman obtained a modest default judgment for CDN$40,000
for damages in respect to some defamatory electronic messages. The
defendant, who claimed he had no assets and could afford to ignore the
judgment, reportedly told a newspaper reporter he was an "Internet god"
who was engaged in a war against the government. This type of defendant
may lead plaintiffs to sue "deep pocket" defendants such as large
ISPÕs. (64)"





----- Original Message ----
From: Joe Baptista <baptista@xxxxxxxxxxxxxx>
To: Ga <ga@xxxxxxxxxxxxxx>
Sent: Sunday, August 10, 2008 9:09:59 AM
Subject: [ga] Vixies vixens make big boo boo on successful Russian DNS hack



The news story below was first published on CircleID.  It has since been yanked 
and is no where to be found on CircleID.  Maybe we are witnessing a bit of 
history revision.  This makes me sad because CircleID was a publication I once 
wrote for.  In fact I was one of the first paid writer for the organization.  
Probably the only one at the time.  And it is sad to see revision at an 
organization I was once associated with.

However it is understandable considering Vixie, the sacred cow of DNS, made 
such a stupid and silly statement in the article.

Basically an internet researcher in Russia was able to break the Vixie patch 
and poison a servers cache after some 10 hours, billions of connections over a 
gigabit connection.  Vixies response was "before somebody
gets all excited about it let's be clear that it takes
two billion packets on average to defeat UDP port randomization, which
in this case was a fully utilized gigabit Internet connection for a
period of ten hours."  and proceeded to draw parallels that the level of risk 
was reasonably low because of this rationalization..

I think sometime Vixie lives in the dark ages of the net, when everything was 
low bandwidth and script kiddies were a novelty.  Indeed Polyakov, the Russian 
researcher, should be congratulated for his success in this attack considering 
the poor russian was using such limited resources.

Unlike script kiddies or real internet criminals Polyakov did not have the 
resources required, being hundreds of thousands of computers connected through 
a maze of IRC botnets on hundreds of thousands of both DSL and gigabit 
connections  to conduct a proper attack.  Poor man had to do it with one 
computer and one high speed internet link.  If he had better resources - like 
the kiddies - he could probably do it in much less time - 10 - 20 minutes?

Under these circumstances I'm not surprised the story was yanked.  The quote 
makes Vixie look like an idiot.

In any case - here is the original story no longer published at CircleID.


Latest news postings on CircleID
URL: http://www.circleid.com/news/
Updated: 10 hours 46 min ago
Emergency DNS Patch Still Vulnerable, Proves Russian Physicist
10 hours 19 min ago
A Russian physicist has been able to
successfully poison the latest BIND patch with fully randomized ports.
In other words, the emergency fix put in place to patch the Domain Name System 
(DNS) vulnerability for BIND, Internet's most popular DNS software, has been 
demonstrated to be vulnerable—and still exploitable by criminals. 
Evgeniy Polyakov from Moscow, Russia in a blog post today, has shown how using 
two fairly powerful computers and a fast
broadband connection, one could successfully attack the patched DNS
server in less than 10 hours. With a fast connection, "any trojaned
machine can poison your DNS during one night" says Polyakov in his blog
post. 
As demonstrated by security expert, Dan Kaminsky on Wednesday at the Black Hat 
security conference, the vulnerability,
if exploited by criminal, could be detrimental to the Web as well as
services such as email. 
Paul Vixie, president of the Internet Systems Consortium (ISC),
the organization in charge of maintaining the BIND software has
verified that Polyakov's exploit looks real. However "before somebody
gets all excited about it," Vixie says, "let's be clear that it takes
two billion packets on average to defeat UDP port randomization, which
in this case was a fully utilized gigabit Internet connection for a
period of ten hours." In other words, the probability of a successful
attack is fairly minimal. On the other hand, in the case of an
unpatched server, an attack was "narrowed down to six seconds," Vixie
noted. 
In the long term, Vixie says "we'll go on improving our forgery
resilience, as will every recursive DNS implementor, while we continue
pushing DNSSEC as the ultimate long term solution to the entire forgery problem 
including this off-path-attacker problem." 
More under: DNS, DNSSEC, Security
Categories: Net coverage

-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative & 
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084