I have a confession to make – I think many bugfinders out there are finding some really cool things, and I am glad they are doing this for us and not for the bad guys. It is easy to see how jazzed someone can be when they find a bug, and how quickly they can be consumed by it. But the "cool" factor really shouldn't be enough when dealing with OPR (other people's risk).
Unfortunately, it appears that these same bugfinders are very poor at risk assessment. I think this is the case with Dan's DNS Debacle. He clearly means no harm, and he actually thinks we should be happy that he did what he did in the way he did it. I think it is a pretty interesting exploit, and I can see that he tried hard to do the right thing, but it is also clear that the impact to the Internet is almost certainly net negative — i.e. risk is increased.
This is a fundamentally simple point: in order for risk to be reduced, you have to believe there were more exploits across the Internet that used this attack technique prior to July 8th than there will be since July 8th and into the future. That is:
- More incidents prior to July 8th –> Risk is reduced.
- More incidents after July 8th –> Risk is increased.
This is the litmus test, adn there is no doubt in my mind that risk is increased. Can there be any doubt in yours? If so, I would love to hear how threats and vulnerabilities can be manipulated to come up with risk reduction.
Bugfinding is a strange world, because it can often feel like the world is better off — to make matters worse, there are plenty of people who really think they ARE better off. But this is one of those cases where economists can identify irrational behavior and label it "human" due to the common biases that people have.
Update: Dan responds in the comments below (italicized here) and I clarify:
Well, here's the draft that would have led to this bug breaking publicly, right about now.
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-05
(Don't be too surprised by the timing; Amit Klein's TXID randomness
attacks were gated by TTL opportunities. This is a necessary
consequence of that talk.)
Dan – First, let me say that I think you are a clever guy and this is a clever attack technique that you've invented.
I don't really get why you think this would have precipitated your attack technique. We've known about this problem for years. What I am trying to figure out is how many people could have figured it out prior to July 8th and how many people can execute it now. (If you are suggesting that lots of bad guys read the RFCs, I suppose I'll have to disagree).
Elapsed time is everything with this bug – sometimes you seem to suggest that this would have been hard to figure out – since you have been doing DNS for a long time – and sometimes you make it seem like it was easy.
I think we can agree that this bug would have been far riskier just
going public one day, than this staged disclosure. In absolute terms,
there would be more incidents from the inevitable rebuttal to Forgery
Resilience than from a simultaneous patch event.
I do agree that it would be far riskier just going public one day and that, should someone decide to go public, you did it in a way that would keep the risk at its lowest level of increase. It is not clear to me, however, why you think someone else would have invented this attack technique, and why they would be bad guys.
Beyond that, I suspect that the long term damage to the Net of this
bug staying in the hands of a few bad guys (it's too simple not to
have) would have been — has been — silent but quite deadly.
This is where things get tricky. Just when I think you are agreeing that you've increased risk, you say something like this. It calls to question the capability of all the folks assigned to manage, monitor, and secure DNS. You see, I think that if this technique was in widespread use, it would have been identified. Statistically, given all the vulnerabilities and attack techniques that have been and will be discovered and invented, it is highly unlikely that someone would have come across this one.
In any case, I believe your disclosure (and the inevitable exploit code) has made it far, far easier and obvious to folks who would never have known any better, and they will certainly be exploiting it.
I guess it comes down to — suppose you knew of a flaw that could
really break things. Would you just leave it there, waiting to hurt
people? Or would you try to do something about it?
I would do something about it. But I wouldn't be happy about it, and I wouldn't over-publicize it and intimate that everyone should be happy about it. Dan, I like positive press, too, but if you go back and look at what you've done, it was probably the biggest self-initiated ego-trip I've ever seen in bugfinding history.
Not only that, but I think it is arrogant to try to "order" people around with "Just.Patch.Now" kinds of assertions, when you have no clue what they have going on at their jobs and how this announcement fits into it. And when your supporters start getting self-righteous and calling people stupid for not patching, I find it even more offensive.
You found an arbitrary attack at an arbitrary time. There have been lots of these in the past and there will be many more to come. You say things like you can take down the "entire Web" (feel free to describe what you mean by that one, and why all those bad guys hadn't done it already if they are likely to have known about this).
I'm trying to do something about it. I'm not asking for anyone's
gratitude. Actually, the security community is pretty pissed at me
right now — broke their rules, knowingly.
Yes, your entire tone makes it clear that you think you've done a great thing and that everyone else should think that as well. You told me in my last blog post that I should be happy about this. The "security community" (i.e. other bugfinders) are pissed off for a different reason. But you seem to completely ignore the entire population of Internet users out there… and you've increased their risk.
What's increasingly clear to
me is we need good ways to deal with these flaws, and that just leaving
them there until they collapse is just as dangerous an idea with
internet infrastructure as it is with our roads and bridges.
I disagree – what I think is that we need to be secure without having to rely on bugfinding. There are plenty of opportunities for better representation of legitimate functionality (software safety data sheets) and enhanced monitoring. We will always be behind the game trying to deal with finding every flaw in the world.
I look forward to seeing what everyone has to say, when all this is
said and done — even you. Though I will say, the inflammatory titles
do not help your credibility in that matter.
(If I wanted to ignore you, I would.)
No doubt, I am in the peanut gallery. I am pretty sure everything IS said and done, and this is what I had to say.
Well, here’s the draft that would have led to this bug breaking publicly, right about now.
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-05
(Don’t be too surprised by the timing; Amit Klein’s TXID randomness attacks were gated by TTL opportunities. This is a necessary consequence of that talk.)
I think we can agree that this bug would have been far riskier just going public one day, than this staged disclosure. In absolute terms, there would be more incidents from the inevitable rebuttal to Forgery Resilience than from a simultaneous patch event.
Beyond that, I suspect that the long term damage to the Net of this bug staying in the hands of a few bad guys (it’s too simple not to have) would have been — has been — silent but quite deadly.
I guess it comes down to — suppose you knew of a flaw that could really break things. Would you just leave it there, waiting to hurt people? Or would you try to do something about it?
I’m trying to do something about it. I’m not asking for anyone’s gratitude. Actually, the security community is pretty pissed at me right now — broke their rules, knowingly. What’s increasingly clear to me is we need good ways to deal with these flaws, and that just leaving them there until they collapse is just as dangerous an idea with internet infrastructure as it is with our roads and bridges.
I look forward to seeing what everyone has to say, when all this is said and done — even you. Though I will say, the inflammatory titles do not help your credibility in that matter.
(If I wanted to ignore you, I would.)
Dan is right. You can’t stick your head in the sand and assume that this hasn’t been discovered by at least some bad actors in the last 10 years or so. Dan’s a publicity whore, and his grandstanding is annoying, but systems are better off without bugs in them.
And that’s where I don’t get the anger directed at people that find bugs. Do you also get pissed when Consumer Reports discovers lead paint in toys? Would you rather carry on believing all the toys are safe, instead?
@Steve -
People withhold vulnerability information all the time. Bad guys likely have plenty of vulnerabilities that we don’t know about. But there are too many vulnerabilities to try to find them all.
Clearly, systems are better off without bugs in them. I don’t think you can find any of them… In fact, I don’t even think you can find the majority of them… People are NOT better off when you find a single bug out of the many that exist and disclose it to the world.
No, I don’t get mad at Consumer Reports because there is no intelligent adversary involved who could inject lead paint in millions of toys around the world with the information Consumer Reports provides. (Not sure why you think that analogy is a good one).
@Pete:
The consumer reports analogy was intended to show another instance of a third party with better/more information helping a group of consumers without the time or expertise to do the evaluation themselves. It was probably a bad analogy.
If I’m reading you correctly, you are against all forms of vulnerability disclosure? Like Mr. Burns, the world is so ridden with software bugs that the only thing keeping us alive is that all the bugs try to get through the door at the same time?
So, no disclosure? Let the smart bad guys find all the flaws and exploit them, in order to keep the lesser bad guys from learning about them (and, by extension, preventing the good guys from having a chance to protect themselves)?
@Steve -
1) I am “against” any discovery and disclosure events that increase risk. I hold open the possibility that there are situations where this doesn’t happen (QA for pre-GA software might be a good example here). In general, random public discovery and disclosure increases risk and I am all for minimizing it.
2) I am particularly “against” bugfinders who find bugs thinking they are doing the world a favor, and by extension encouraging other people who want to be heroes to go out and find bugs too.
3) The rate of vulnerability creation is far exceeding the rate of vuln discovery, so while every find seems beneficial, they are Pyrrhic victories in a war we are losing. Therefore, I am “for” developing existing techniques and finding new ones that put us in a better position of winning.
4) You make an assumption that bugfinders magically find the vulns the bad guys find. In an unconstrained world of vulnerabilities, this probability is extremely low.
This means that bugfinders are contributing even more to the smart bad guys being able to find flaws and exploit them because they are distracting us and consuming significant resources on the wrong vulnerabilities.
Then, lo and behold, even those vulnerabilities get exploited and we’ve increased risk and created an even bigger problem. Meanwhile, those smart bad guys that you think I am leaving alone are being aided and abetted by folks like you who support disclosure.
5) You seem to imply that this is the only way to protect ourselves. If it is, we are dead. But it isn’t. We need to focus more on trusted systems and monitoring, and a lot less on vuln patching. But we can’t because bugfinders keep creating imminent threats out of thin air that must be addressed. (And meanwhile, I say again, the really smart bad guys are still doing their thing.)
@Pete
I think you severely underestimate the ability and motivation of the bad guys, and that accounts for our difference of opinion. If the bugfinders are really that much smarter than the bad guys, then I take your point. On the other hand, when there is so much evidence of financially motivated and able attackers (especially in Russia and China), I tend to believe that the attackers already know most of these vulnerabilities. In that case, the bugfinders are only helping to close the gap, and I appreciate their work.
And, to point of the attention-seeking, I think that’s a lot less beneficial than it once was. I used to believe that Microsoft needed to be publicly embarrassed before it would clean up its act. Now I know that Microsoft improved their security because they saw it was necessary. Oracle is repeatedly exposed as vulnerable and they still get away with an “Unbreakable” ad campaign, so clearly the publicity has no impact on the bottom line.
I could do with less publicity-whoring. Especially from Kaminsky, whose act includes his grandmother, doing shots on stage, some kind of sombrero, and now his niece. It’s difficult to take him seriously.
DNS Flaw, Continued
I wrote a more in-depth risk assessment for the DNS flaw on the Burton Group SRMS blog.
@ Pete:
what I think is that we need to be secure without having to rely on bugfinding. There are plenty of opportunities for better representation of legitimate functionality (software safety data sheets) and enhanced monitoring. We will always be behind the game trying to deal with finding every flaw in the world
If you keep talking this line over the years, I’m going to be more and more likely to agree with you.
What do we do until software safety sheets reach popular culture as critical mass? In a world where Consumer Reports still rates AV software and network equipment vendors put the words, “NERC CIP-compliant” on their latest hardware and software — isn’t bugfinding a bit more appropriate?
IMO, we will always be behind the game if vendors can continue to sell security as marketing terminology or shoddy blackfilter products.
In this Dan Kaminsky situation, I agree with you. There was no reason to go public in the way and to the degree that he did. Dan has done us all a disfavor.
Dan, I like positive press, too, but if you go back and look at what you’ve done, it was probably the biggest self-initiated ego-trip I’ve ever seen in bugfinding history.
Not only that, but I think it is arrogant to try to “order” people around with “Just.Patch.Now” kinds of assertions, when you have no clue what they have going on at their jobs and how this announcement fits into it. And when your supporters start getting self-righteous and calling people stupid for not patching, I find it even more offensive
Maybe you’ll be interested to know that Dan won the Pwnie award for “Most over-hyped bug”, and then proceeded to storm off-stage and out the room crying and acting like a baby.
@ Pete:
You said, “what I think is that we need to be secure without having to rely on bugfinding. There are plenty of opportunities for better representation of legitimate functionality (software safety data sheets) and enhanced monitoring. We will always be behind the game trying to deal with finding every flaw in the world”.
If you keep talking this line over the years, I’m going to be more and more likely to agree with you.
What do we do until software safety sheets reach popular culture as critical mass? In a world where Consumer Reports still rates AV software and network equipment vendors put the words, “NERC CIP-compliant” on their latest hardware and software — isn’t bugfinding a bit more appropriate?
IMO, we will always be behind the game if vendors can continue to sell security as marketing terminology or shoddy blackfilter products.
In this Dan Kaminsky situation, I agree with you. There was no reason to go public in the way and to the degree that he did. Dan has done us all a disfavor.
Pete, you also said, “Dan, I like positive press, too, but if you go back and look at what you’ve done, it was probably the biggest self-initiated ego-trip I’ve ever seen in bugfinding history. Not only that, but I think it is arrogant to try to “order” people around with “Just.Patch.Now” kinds of assertions, when you have no clue what they have going on at their jobs and how this announcement fits into it. And when your supporters start getting self-righteous and calling people stupid for not patching, I find it even more offensive”.
Maybe you’ll be interested to know that Dan won the Pwnie award for “Most over-hyped bug”, and then proceeded to storm off-stage and out the room crying and acting like a baby.