Saturday, July 19, 2008

What Should Dan Have Done?

I answered a question on the Daily Dave mailing list, so now a few of you are asking "what should Dan have done?" about his DNS discovery. Keeping in mind my thoughts on keeping vulnerabilities in perspective, I have the following suggestions.

  1. Black Hat and/or Def Con should not be the place where "all is revealed." The gravity of the situation (such as it might be) is nullified by what will undoubtedly be a circus. Disclosure of additional details should have been done by a neutral party with no commercial interests. Black Hat and/or Def Con would have made great post-disclosure locations, where Dan explains how he found the vulnerability, along with "the rest of the story." That would have still made a great talk, with plenty of worthwhile attention.

  2. Personal blog posts should be avoided. The disclosure process should have been run exclusively through a group with some nominal "Internet security legitimacy," like CERT-CC and the affiliated US-CERT. Any questions on the issue should have been referred to them.

  3. The person discovering the issue should not have asked us to avoid speculation, while issuing a challenge, e.g.:

    I want you to explore DNS. I want you to try to build off the same bugs I did to figure out what could possibly go wrong. Maybe I missed something — I want you to help me find out if I did, so we can deal with it now instead of later...

    While I’m out there, trying to get all these bugs scrubbed — old and new — please, keep the speculation off the @public forums and IRC channels. We’re a curious lot, and we want to know how things break. But the public needs at least a chance to deploy this fix, and from a blatantly selfish perspective, I’d kind of like my thunder not to be completely stolen in Vegas :)

    Now, if you do figure it out, and tell me privately, you’re coming on stage with me at Defcon. So I can at least offer that.


    This essentially says "if you're clever enough to figure this problem out, tell me and join me in the circus."


I think it's remarkable that, despite all the brainpower behind the preparation for these announcements, the DNS behind NAT problem first noticed by imipak was missed. If no speculation or discussion of the issue had taken place, how would that problem have been addressed?

There's no easy answer to the fundamental question, but it's fair to ask really what is at stake here. Right now, hundreds of thousands, perhaps millions, of innocent users have unwanted intruders controlling their PCs. That is a realized problem. It is not theoretical. It is not pending. Why is there not a crash program to help those people?

Consider the issue from another angle. Anyone with military experience knows there are procedures in place for dealing with real catastrophes. Absolutely nothing about the current situation has raised any official notice outside of our community. Are there any warnings on CNN? The SANS Internet Threat Level (take it with a grain of salt) is even still green.

This does not diminish the amount of work done by Dan, the vendors, and other parties to fix this issue. It's all for the better to have more robust infrastructure in place. At the very least this situation has raised the question of how vulnerabilities in critical infrastructure should be addressed in the future.

18 comments:

Dan Kaminsky said...

I was going to make a longer post. I will say this: You are operating with incomplete data. Please revisit this post in a couple of weeks. Until you know the inputs, you cannot judge the outputs.

After, of course, is another story. I will need your guidance then.

Anonymous said...

lol... Your reply just completely hit Richard's point home. "Until you know the inputs, you cannot judge the outputs." Technobable aside, Decisions, opinions, strategies - these are things everyone continually executes in spite of incomplete data. In other words, the world always judges without ever knowing all the "inputs." You have spent so much time creating a circus over this, regardless of what you show at BH, you can't change the majority of the world's opinions about you now. Most people form lasting solid opinions in a matter of seconds. How many weeks have you been manipulating the "inputs?" (Eg: Behaving like a drama queen.) I think you're stuck with the "outputs" now... I can't say I agree with Richard all that frequently, but he hit the nail on the head with the entire post.

Dan Kaminsky said...

Anon--

Yup. Eight years of doing good work, and I'm having to suck it up for this. It ain't fun. If you remember, my last talk was given with no advance warning, not even a topic for the conference. THAT was fun.

The sombrero might have helped.

Yeah, I can't really blame anyone for thinking I've just completely lost it. I honestly have no idea how people are going to react, once the facts are on the table. But, here's the facts on the ground:

1) Patches are out.
2) The talk's going to happen.
3) Everyone in IT has heard of this bug.
4) Lots and lots of people are patching -- not everyone, but not even close to no one.

These are good results. These are not perfect results. But they're good. We'll see what people think in a couple of weeks. As Richard says:

"At the very least this situation has raised the question of how vulnerabilities in critical infrastructure should be addressed in the future."

Yes. YES.

Steve said...

Dan,

You've put security ops people in a tough spot with this disclosure. As has been stated several times, you're telling us there's something "very bad" but not giving us the information we need to make a recommendation to the business.

For example, it has been said that djbdns is not vulnerable to this flaw, and yet it has also been reported that the flaw is in the DNS protocol and that BIND and other have simply added source port randomness as a mitigator. So, I can migrate to djbdns, I can add yet another patch to BIND or I can add my own port randomness via a pf nat rule on the box. If it is the case that port randomness is an effective mitigator, then the pf rule is the best solution available, but we don't have enough information to make that judgment.

I have no issue with taking time to make sure everyone has a chance to apply the patch or other countermeasures, but a month is too long. I know that the window has to be driven by Microsoft's July patch and your Black Hat talk, and that is why you're taking all this heat. I really hope that when you do present your finding, that it is not entirely mitigated by randomized source ports, because there's no way that will have been worth all this hassle, and no matter how easy the query ID is to guess, you won't convince me that details couldn't have been released after 2 weeks.

inse3t said...

Disclosure of additional details should have been done by a neutral party with no commercial interests

oleDB said...

Can you cut the guy some slack. Let Dan get his credit, in the way he wants it. The disclosure was responsible enough, in the fact that patches are available for most affected platforms prior to any exploit details. If you put in months of research into something, would you honestly hand off your baby for someone else to run with? To the same groups who ignored or were ignorant to the vulnerability in the first place. If you really cared about the details this much, why not invest some time into reverse engineering the patches. Otherwise, shut up and wait till BH.

Anonymous said...

"If you remember, my last talk was given with no advance warning, not even a topic for the conference."

Yes, I remember. I remember you talking incessantly about it (and apparently still are). I speak at the same conferences, which is where my comments come from. I won't even comment on the sombrero, or why it's yet another perfect case-in-point.

Five to ten years ago, waiting to "reveal all" details at BH, Defcon, Can/Pac/*Sec, various fledging San Diego sec cons, etc was perfectly normal. Now, the "industry" has changed - noted by "exit letters" issued by various people over time. That change can be contributed to too many reasons to count, but one of the largest include (and before I say it: yes. It's not perfect, but there's no comparison between now and 5-10 years ago) a strong undercurrent by vendors to "do right" by customers (altruistic motives debatable), and organizational security units to "do right" by their business units. We intentionally created a "circus" 5-10 years ago, and the results of doing so lead to the _comparatively_ positive climate experienced now by the vast majority of the industry. Stunts like you've done with this (turning it into a media frenzy) undermine the entire framework by making security professionals look like complete clowns in front of executives who read the hype you're generating (but can't objectively answer their questions). The negative impact on vendors is equal since your hype-engine backs everyone into a corner of responding only one way.

One of the worst parts of the industry these days (as opposed to 5-10 years ago) is the no-disclosure/for-profit side. You are fueling that fire in so many ways, but the most ironic point of it all (in this thread) is the one oleDB raised (which makes it slightly more funny): "If you really cared about the details this much, why not invest some time into reverse engineering the patches." Lol... By show of hands, who think that wasn't done within 24-hours of their release and full details available to anyone who wanted them? And don't even get me started on the accidental leaks. Yet; Hrmm; No mass-exploitation. Imagine that. Organizations must have patched THAT fast! Either that, or --- Well, the jury is still out on the other side of this coin, and (after reversing those patches) you know where I stand on the issue.

Your "months of hard work" didn't have to be for not. It would have been interesting to find what you did, take a non-dramatic course of action, then present generically on the fundamentals of potentially similar vulnerabilities, taking a survey of other technologies/protocols/products/processes/etc that could suffer from the same and why. (Check out some of the less-hyped presentations this year. There's a few examples of this. They probably won't be wearing sombreros though.)

Jesse Kempf said...

So.
The Kaminsky DNS vulnerability has hit ZDNet and Slashdot.

It looks like it's a piggyback DNS cache poisoning attack. So now it's bit easier to wallop someone's DNS cache. Nifty, I'll grant. But from a pragmatic security perspective, what hazard does this increase? So far all I'm coming up with is making it easier to get people to visit malicious sites by redirecting cnn.com, espn.com, intranet.mycorp.com, etc. etc. etc. to bad.gonnapwnjoo.biz...or phishing.

Other conceivable attacks get smacked hard by SSL/TLS provided the appropriate CA's certificate is on the client.

I'm hoping I'm just not seeing it. If someone wants to drop some science up in this biotch, by all means go ahead.

Nima said...

Nice blog! If you like we can exchange links on our blogs! My blog talks about information security software tools and resources and it is being updated daily, you can also subscribe to see the updates on your Google page:

Information Security Software Tools
http://cryptoexperts.blogspot.com

Mubix said...

@anonymous all I see you really saying is that 1. You preferred 5- 10 years ago. 2. You have some kind of history with this sombrero. and 3. You prefer to see mass attacks before you validate something as "really bad".

I love your approach. Lets dramatize it a bit: Wait until the enemy kills someone AND THEN FIRE BACK! Until then, we're safe.

Over hyped, maybe. Commercial gain? How? As far as giving him his dues, come on, I don't care if he wasn't the one who truly discovered it. He was the one who coordinated patches and kept it under raps for however long. Next time post your name so you can be criticized from angle as well. Until then, shit down, shut up, and quit making the hype "worse".

Joel Wilbanks said...

Richard,

I could not have said it better. The points you make echo my same thoughts. Additionally, in absence of the full story and exploit details, the circus will talk about whatever "news" it can find. Whether its Dan's actions, the response of the community, or the long term ramifications of how security researchers disclose their findings the community will expand significant resources in the circus.

What's to stop someone from find out ALL of the details and printing up flyers and littering them around the BlackHat floor. I don’t advocate such a thing but after you go to these conferences enough you see some crazy things.

jbmoore said...

Richard has a thoughtful post. he puts the issue in some perspective. Unfortunately, we don't know the scope or scale of the harm done to innocents. We don't know if people have died.

Contrast this incident with the Salmonella scare. At least one person has died and many sickened, but the epidemiologists are having a hard time tracking the infective strain to its source. At first they thought it was tomatoes. So, no one ate fresh tomatoes. Now it's jalopenos. All of this because distributors don't keep accurate tracking and shipping records of produce. I believe there is a law on the books about documenting produce shipments by distributors, but is it enforced? From a public health and national security perspective our food supplies could be tainted in another country such as Mexico and imported here, and no one would be able to document the shipment it seems. Will this scare cause solutions to be put into place to solve the problem? Doubtful. There's too much money at stake making and selling food.

Decisions like this have been made for years where public health is concerned. That chicken or beef you ate today was likely shot full of antibiotics during the animals' lifetimes giving rise to antibiotic resistant strains of Salmonella in chickens and E. coli in cattle. The CDC has been trying for decades to stop the practice, but it continues.

We confront the same issue everyday at our jobs. There's too much money to be made off of the Internet. Put a band-aid on the problem and don't tell anyone how serious it is, or you could ruin the company. Don't tell the government either. They'll just get in the way.

You can fault DK for the way he went about it, but he alerted the vendors and helped them fix the problem before it got much much worse, and no one has died that we know of.If you want a better solution for when this happens next time then draft a set of procedures and have the IETF or whichever body you choose approve them, implement, and enforce them. As far as I know, there is no SOP on what should be done, just what is accepted practice, and Kaminsky followed that accepted practice even if it is far from perfect.

The reason the armed forces are such sticklers for details and procedures is because people die from their mistakes in the Armed Services. But as I've pointed out, people die all the time from contaminated food, and yet, little is done to mitigate those deaths by our government. Those deaths are deemed acceptable it seems until the public becomes outraged enough. So, get a grip and don't shoot the messenger in this case. He got the message out in time. He'll likely do a better job next time.

Anonymous said...

Dan's a grey hat--he doesn't have to particularly care about ethics, merely legality. I think a lot of white hats disconnected from the original culture tend to forget that.

oleDB said...

I speak at the same conferences, which is where my comments come from.

@anonymous
Whats your real name so I can avoid your sessions at any conference? Your logic is flawed on so many levels, I can't take you seriously.


Now that Matasano has leaked the details, who cares to retract? Anyone? Yes there was absurd grandstanding by Dan, but it WAS the real deal imho.

Dan Kaminsky said...

jbmoore--

Thank you for your fascinating comments linking this scenario to public health realities with the CDC. You're thinking along some interesting lines.

jbmoore said...

Discovery News has this article about using a web crawler to track infectious disease: http://dsc.discovery.com/news/2008/07/18/disease-map-web.html.

Something similar is Hubble: http://hubble.cs.washington.edu/

or F-Secure's Worldmap: http://worldmap.f-secure.com/vwweb_1_2/en/previous_day

LonerVamp said...

One thing to keep in mind is there had to be a lot of pre-planning and talk with the vendors before any of the "circus" appeared for the rest of us. Dan may or may not have used a third-party arbitor for that...

So, there was at least some very large bit of planning going on and Dan was looking out for the interests of the Internet in general with that portion. Once the patches released, however, he might be justified in managing the disclosure as he feels fit.

*shrug*

I put it on my blog that while I do have some minor misgivings about the handling of it, I can't rightly hold anything against Dan personally. This is a grey area in a gray hat area, and I don't believe there really is any perfect answer that satisfies all parties.

glasdildo said...

Good Job! :)