It sure seems like security professionals generally agree that the San Francisco DA who revealed a set of usernames and passwords increased the risk and did something “bad” for security.
It sure seems like security professionals generally agree that the bugfinder who revealed an attack technique against many, many DNS servers did something “good” for security.
Why is that?
Disclosing existing DNS flaws == disclosing existing risk.
Disclosing passwords == creating new risk.
It’s the difference between telling people their improper house wiring is likely to start a fire, and dousing their house with gasoline and throwing a match on it.
Who are you, the ask easy questions guy? Furthermore, why do I feel compelled to answer?
@Steve -
Actually, I think you are the “I will provide the generic answer because I never really thought about it” guy.
And your analogies are always off.
Do me a favor – re-read your comment very carefully and let me know if you truly stand by the analysis.
Let me know if you still agree with yourself.
Pete
Ha. Maybe typepad doesn’t allow you to see it, but that was a different Steve than the one that disagreed with you in the last thread (me). And I disagree with you again.
I have no reason to believe that any bad actors already had a list of 150 valid passwords, and so the San Francisco DA was providing information that was probably not available to anyone else. I do think there are probably bad actors that had already figured out the DNS flaw, and so making a patched version of the software is better. Maybe you think Dan should have kept his mouth shut after talking to the vendors. That’s fine. Not as many people would have patched as quickly, but eventually random source ports would filter through the ecosystem, and everyone would be just a little bit safer. I like to know that sort of thing as soon as possible, but to each his own.
At its core, you still believe that criminals are stupid and lazy, and that they’re not as smart as the bugfinders. I still disagree. I recall that you lost a 6-pack of some goofy Rocky Mountain beer because of a similar position you took about undisclosed vulnerabilities.
@(other)Steve -
Ooops, thanks for the clarification. I knew I was dealing with two Steve’s, but got them mixed up.
I think attackers come in all shapes and sizes. Many are lazy (but smart) and conserve their resources by exploiting vulnerabilities that other people find using tools that other people create. We spend all of our time trying to stop these folks.
Another group are the seriously smart hackers with extensive resources available. They laugh at the circus around vuln discovery and disclosure (and attack technique invention) and are happy to be completely ignored as they dip into their stable of undercover vulns and make their money. I think we should be spending the bulk of our time on these folks. (That’s what I mean about scarce resources and opportunity cost).
In order to protect against the real bad guys using our existing techniques, we would have to find *every single* vulnerability that they have found. I believe the odds of that happening are practically zero.
I have lost lots of beer in pursuit of my undercover exploits and vulns. The great news is – I just want the truth. Finding undercover vulns supports my case that you can identify new vulns via attacks in the wild. The small number of vulns found supports my case that there is little need for attackers to look for new ones. I can lose the beer, but not the argument
.
(I still owe security curmudgeon a case, I believe – but can’t figure out how to ship/deliver Fort Collins Chocolate Stout to Denver.)
Pete:
Yes, I do stand by my analysis.
Disclosing the DNS flaw raises the risk in the short term due to a new attack vector, but at the same time there is a heightened awareness of the problem which helps negates the short term risk. People are catching, blocking and cleaning DNS attacks because they know they are likely at the moment.
If an attacker knew of the flaw before this month, they would have a MUCH easier time of flying under the radar.
In the long term, disclosing the DNS risk helps us path the current problem and design better systems in the future. This is where the real win is, as we fix secure the system as a whole. This specific fix wasn’t a normal patch, it was a systemic increase security through increased randomness that applies to other things but this vulnerability.
In my previous analogy, we’re slowly upgrading the wiring. (Of course, the industry as a whole is building shoddy work next door at the same time, and 10 times faster then we clean up, but that’s a separate rant)
In the short term, disclosing passwords raises the risk. In the long term, the passwords will hopefully be changed, and the risk is back to normal. There is no net increase in security, in the long or short run.
First, I apologize for my lack of proper grammar above; one should not post after midnight.
Second, I would like to disclose my biases.
I am a web application security consultant because my family needs to eat today. In this role I must be pragmatic.
I am a security researcher because I want the net to be a more secure place in the long term. In this role, I want to solve problems correctly once, difficulty be damned. That is why I do evangelize things like strong identity management through DNSSEC for corporations and smartcards for individuals.
This DNS patch is a different class of vulnerability then the latest buffer overflow in some widget. It is a protocol level vulnerability that forces people to strengthen DNS against both previously known and yet to be discovered attacks, immediately through port randomization, but hopefully beyond that.
It just occurred to me that you might be just trying to argue that we would be more secure if Halvar Flake and the Matasano crew had let the world have another 2 weeks or so until Black Hat to patch. If that is what you’re arguing, then I would agree with you. In this ongoing DNS soap opera, Dan’s work has made us more secure, Halvar/Matasano is much less clear cut.
That is why I called you “ask easy questions guy”, because you ask questions that are so poorly specified that people can argue any point of view in response and be correct, and at the same time you can be smug about your own correctness.
Be aware that your blog readers can’t read your mind, and are responding to what you typed, not what you were thinking. I know you like brevity, but if you are trying to have a useful discussion here, sometimes more is better.