lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 2 Nov 2007 12:01:42 -0400
From: Tim <tim-security@...tinelchicken.org>
To: Shane Kerr <Shane_Kerr@....org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Comments re ISC's announcement on bind9 security

Hi Shane,

> It shouldn't cause any performance issues to do a refresh every few seconds,
> although I would think you'd be better off simply using a larger pool. I haven't
> tested it, but you should be able to set the pool size to 16384 for that magical
> 30 bits of entropy you want (you probably want to set the refresh to a very
> large value in this case).

Does BIND choose those ports in a cryptographically secure way?  Can it
be configured not to re-use a socket for multiple queries in a row?  Not
sure what the current algorithms are... please pardon my ignorance.  If
BIND is reusing bound UDP ports for multiple queries in a row, then that
definitely reduces the entropy.


> I'm sorry you're frustrated. There are a lot of ways you can change the
> direction of ISC development. Firstly, you can submit source code - we like that
> one especially. Secondly, you can fund development, and have us develop code
> that you need or want done. Thirdly, you can join the BIND Forum and give us
> recommendations and feedback there. Or forth, you can simply ask us.

Well, under normal circumstances I might consider contributing code or
helping you get your collective security act together.  However, other
ethically-questionable practices that the ISC engages in pretty much
prevent that from ever happening.  

In particular, your organization charges for early security
vulnerability information.  I personally feel that creates a huge
conflict of interest.  You produce a product.   If there are
vulnerabilities in that product, you boost revenue from your early
notification program, since users will be incented to join the members
program. Hmm...  Sounds like one fine line away from a protection
racket.  What stops any random "evil hacker" from joining this program
as a sponsor and using that information to attack BIND users who aren't
in your special club?  Nope, sorry, no contributions from me.

The information about using randomized source ports has been around for
ever in multiple public forums.  If the ISC wanted to make a more secure
product they would have drawn from these sources long ago.  

> Don't worry, I don't take it personally. I've been working in technology enough
> to know that people tend to flame first, and ask questions later. I don't like
> it, and I wish it wasn't part of the techy culture, but there it is.

For the record, I did ask questions first before making wild
allegations. ;-)

tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ