Well, it’’s been a busy couple of weeks. Things we should all be aware of:
J.ROOT Server has moved. This means all of you who managed your own DNS servers should update the named.root (db.root) file on your servers. An updated file is available at ftp.internic.net/domain/named.root
Another major series of security vulnerabilies have been discovered in Bind versions 4 and 8 (see CERT Advisory CA-2002-31). Basically, the solution is to upgrade to Bind 9.2.1. Note: We had a lot of problems getting 9.2.1 to run on one of our older Solaris boxes (LWP errors) and had to re-compile without threading support. You can get 9.2.1 from the ISC.org Site
Meanwhile, our governmental leaders have been busy trying to fix what is not broken. A series of last minute additions to the Homeland Security Bill have strengthened penalties against “hackers” and allow carriers to become snooping agents of federal law enforcement. Additionally, the bill now encourages software manufactures to report security flaws by ensuring confidentiality. The bill goes so far as to preempt Freedom of Information Act (FOIA) requests. Although the privacy issues raised by these addtionsto the bill are frightening, and there are several good resources to get involved in these issues (see CDT for example), this notion that secrecy is equivenlent to security in computer systems is just asinine. As a terrorist or hostile agent it would be far easier for me to find a undocumented security bug and exploit it, then to use a known bug which administrators have knoweldge of, and have patched or adjusted for. The greater problem is that large software companies (such as Microsoft) are already discouraged from releasing bug reports, due to adverse reactions in the market place — after all who really believes they can run a secure website on IIS nowadays — and to allow them to hide security holes within the government gives them an additional shield against criticism and does not allow the bug to be fully explored - most bugs are not fully fixed in the first patch release, and many fixes have relied on users in the wild to pinpoint all possible exploits within a given bug. Additionally, this type of provision creates two classes of operators — those in the know (presumebly Government systems) and the rest of us. How can we, as ops, trust any software provider — or goevernment agency — who is aware of insecurities in our systems, but won”t share that information with us? I guess Orwell was right: “War is peace. Freedom is slavery. Ignorance is strength.
I have been somewhat busy; and therefore, unable to attend to the various outrages which have been occuring in the past month or so. Certainly the most irksome fiction of the hoi polloi was the Attack on the Internet of October 21st. According to the popular media, on this date the Internet suffered a major attack which came close to shutting down the global network. BAH!! What actually occured way a pretty standard Distributed Denial of Service attack against the root DNS servers (really only 12 of the 13 were at all effected). DDoS attacks are quite common nowadays, and there are well known measures which can be taken to lessen their effect. Yet, despite the facts that this attack was not paricualrly effective, nor posed any long term threat to the Internet as a whole — in fact all root DNS servers would have to be down for a couple of days before most users would notice — the popular, and industry, media immediatley sounded a panic alert that the Internet had been hacked! What’s most disturbing is that so call experts — like Kim Komando — fed this this media frenzy with their own hyperbole stating that this was a sophisticated attack which could have rendered the global network inoperative. At the same time real experts, like Paul Vixie, were misquoted and ignored in deferance to creating a panic story. Frankly, the UUnet outage of the pervious weeks affected far more users and created far more headaches for network operators then the attack on the root servers did. Yet, the outage was genrally ignored by the media. Leaving one to wonder if the reporting on the DDoS ROOT Server attack was part of a larger journalistic zeitgeist — one designed make us feel as if we are under attack in all areas of our lives. Essentially, this incident has again illustrated that the popular media has no clue as to how the Internet operates, and what compuetr security consists of. In the future, we should all be more suspicious of any news regarding the Internet and of cyber attacks in general.
