Re: how to protect name servers against cache corruption

[Michael Dillon <michael () priori net>]

At 10:32 AM -0500 7/31/97, Robert T. Nelson wrote:
> On Wed, 30 Jul 1997, Michael Dillon wrote:
>
> > Maybe some of us have thought about it and realized that the best course of
> > action is to:
> >
> > a. not talk publicly about this lest the cracker community learn too much

> I disagree that we should not talk publicly about flaws in the design of
> the network. I think that this information should be as widely
> disseminated as possible.

The way I see it, it is valuable to admit that flaws exist and to make sure
as many people as possible know the best possible solutions to the problem,
in this case installing BIND 4.9.6 or the latest BIND 8. But I don't think
that it serves anyone to discuss the details of how these flaws can be
exploited. Yes, I know that the security experts discuss this stuff in
their own forums and that some crackers are there learning and building
exploit tools. But I feel uncomfortable when the detailled discussion of
exploit techniques spills over into too many other forums.

> In 1853 Charles Tomlinson wrote a treatise on Locks. This document
> describes the reasons that the "good guys" should discuss the construction
> (and failings) of locks in public, otherwise only rogues will have the
> information. He goes on to further state that rogues will be the first to
> *apply* such knowledge.

No argument here. And thank you for pointing out how we aren't really
breaking as much new ground here as some people think.

> Furthermore, not discussing security issues, and their implications
> publicly leads to hysteria and paranoia throughout the system. Do you
> suggest that we gain protection from having uneducated network
> administrators?

Nope. I think it's great to educate network administrators on what they can
do today to protect their networks and I think that a good way to combat
paranoia is to suggest that there is an action available that will increase
your protection. When the public believes that something can be done, i.e.
upgrade BIN, filter bogus source routes, block broadcasts, then they
generally pressure the technical people to get cracking and implement the
solutions. This is not paranoia.


********************************************************
Michael Dillon                    voice: +1-415-482-2840
Senior Systems Architect            fax: +1-415-482-2844
PRIORI NETWORKS, INC.              http://www.priori.net

"The People You Know.  The People You Trust."
********************************************************