DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
July 11, 2008
DNS researcher convinces skeptics that bug is serious
Once-skeptical security researchers now agree that the critical bug in the Internet's Domain Name System (DNS) protocol is the real deal.
Dan Kaminsky, the researcher who uncovered the design flaw in DNS, and who then led a months-long effort to coordinate the large-scale, multi-vendor patching that was unveiled Tuesday, admitted he'd made a mistake in not reaching out to the security research community earlier.
"I screwed up," admitted Kaminsky, director of penetration testing at Seattle-based IOActive Inc., in an interview Thursday. "I'm the DNS guy in the black hat community, so if I'm saying it's bad then it's bad. It didn't occur to me that people would question it.
"My concern the entire time was that the public would panic, so I was thinking 'How do we get an orderly patch when this has never happened before?'" Kaminsky said. "I needed the vendors behind me and the DNS community. And I had that in spades."
But what he didn't have was the support of security researchers, including some notable names who, after the Tuesday announcement, were dubious about Kaminsky's claims.
Thomas Ptacek of Matasano Security led the charge, saying that the DNS cache poisoning attack that Kaminsky alluded to was old news. "Saying it here first: doubting there's really any meat to this DNS security announcement," said Ptacek on Tuesday on Twitter.
Dino Dai Zovi, another security researcher -- who is perhaps best known for walking off with a cool $10,000 after hacking a Mac last year in the inaugural "Pwn to Own" contest -- also was skeptical.
In a conference call yesterday that was arranged by security analyst Rich Mogull of Securosis, who Kaminsky had asked to help organize the Tuesday announcement, Kaminsky briefed Ptacek, Dai Zovi and at least one other researcher on the details of his findings.
"I broke a huge rule, I didn't bring in anyone else from the research community," said Kaminsky in explaining why he felt he needed to deviate from his plan to withhold technical details until early next month, when he presents at the Black Hat security conference. "I forgot that, no, you don't get to make a whole bunch of noise without some technical details to back it up," Kaminsky said. "Security researchers, we need the ability to call 'bullshit' on people."
Essentially, that's what Ptacek, Dai Zovi and others did. After the conference call, however, both Ptacek and Dai Zovi said they were convinced the DNS flaw was as significant as Kaminsky had promised.
"Dan's got the goods," said Ptacek in an entry on the Matasano blog Wednesday.
"Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined," said Dai Zovi on his blog. "When the full details of Dan's attack come out, you will most likely be impressed. I definitely was."
"I'm very happy with how all this turned out," said Kaminsky on Thursday. "I'm very pleased people are patching.
"But peer review is important. If there's not full disclosure, there has to be at least peer review. I agree with the skeptical reaction. If it happened again, I would never do it this way. I'd still try to delay disclosure, but I'd bring in other voices," he added.
But even as he said Kaminsky had the goods, Ptacek questioned the decision to keep the details under wraps. "I think Dan should come clean on this and publish the details," Ptacek said in that same Wednesday blog posting. "The 30 days he's given before Black Hat won't make much of a difference. But his reason for not doing it is at least plausible. And he did the work. So, it's his call."
"No, I think I'm committed to Black Hat," said Kaminsky when asked if he had second thoughts about waiting until then to make public more information about the DNS bug. "Every day someone doesn't find [an exploit] helps. I'm just trying to buy time for my buddies [in corporations]. Because I know if you screw up DNS, the Net goes down."
Kaminsky's presentation is scheduled for August 7 at Black Hat, which runs August 2-7 in Las Vegas.
Source: ComputerWorld
All news for August, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
