funsec mailing list archives

Re: Leaks in Patch for Web Security Hole

From: Valdis.Kletnieks () vt edu
Date: Sun, 10 Aug 2008 00:51:57 -0400

On Sat, 09 Aug 2008 10:29:23 EDT, "Richard M. Smith" said:

In a posting on his blog
<http://tservice.net.ru/%7Es0mbre/blog/devel/networking/dns/2008_08_08.html>
, the physicist, Evgeniy Polyakov, wrote that he had fooled the software
that serves as the Internet's telephone book into returning an incorrect
address in just 10 hours


Vixie said "11 seconds".  So the patch added a work factor of roughly 3,600,
rather than the 64K that *full* randomization would have added.  Or he just
got lucky and it happened to work in the first 5% of the attack...

But then, it was *known* that the patches merely made it harder to hit
the hole, and DNSSEC is needed to *totally* fix the issue.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Leaks in Patch for Web Security Hole Richard M. Smith (Aug 09)
- Re: Leaks in Patch for Web Security Hole Valdis . Kletnieks (Aug 09)
  - Re: Leaks in Patch for Web Security Hole Larry Seltzer (Aug 10)
    - Re: Leaks in Patch for Web Security Hole Gadi Evron (Aug 10)
    - Re: Leaks in Patch for Web Security Hole Åke Nordin (Aug 10)
    - Re: Leaks in Patch for Web Security Hole Paul Vixie (Aug 10)