| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Oct 2007 21:43:10 +0200 From: "Network Protocol Security" <netprotosec@...il.com> To: bugtraq@...urityfocus.com Subject: Comments re ISC's announcement on bind9 security BugTraq I found this ISC announcement quite amusing: http://www.isc.org/index.pl?/sw/bind/docs/response_transaction_id_issues.php It's a text published by ISC as a follow up to the bind9 predictable id saga. Particularly the following statement is funny, and shows complete lack of understanding of the terminology and of the problem space: 'ISC would like to assure the Internet community that this is much less an issue of using "extremely weak crypto" as it has been described, than the use of a random number generator that did not provide sufficient randomness.' My understanding is that they used a pseudo random number generator in bind9, and when you use a pseudo random number generator (whose sequence in this case is predictable after observing about a dozen outputs) instead of a strong cryptographic algorithm whose sequence cannot be practically predictable, how do you call this? right - "extremely weak crypto". The irony is that statement is found in a text intended to instill trust and reassure the bind9 users that ISC digs security... (another mistake in the ISC announcement is right at the top of the page, where it reads "In June of 2007, a problem regarding Transaction ID generation in BIND 9.4.1 (and prior) was reported to Internet Systems Consortium (ISC) engineers." but according to Trusteer, they reported it on May 29th: http://www.trusteer.com/docs/bind9dns.html#chapter_4)
Powered by blists - more mailing lists