There are two stories posted on Linux Today that I knew I was going to rant about as soon as I saw them:
Nominum Solves Kaminsky Attack, and Novell's iPrint Open to Attack, Say Researchers. What do these stories have in common? I was thinking perhaps institutionalized delusional thinking and incompetence, but maybe I'm being too harsh.
In the first story, Nominum boasts of their prowess in foiling the DNS cache poisoning threat recently publicized by Dan Kaminsky. I have to admit I'm missing the finer points of Mr. Kaminsky's discovery- cache poisoning has been a problem with DNS since it was invented, because the protocol and entire name services instructure is based on way too much trust of unknown third parties. It's too bad we live in a world where it's wiser to be paranoid, but that's how it is.
But to my way of thinking, Nominum didn't fix a thing. The article describes combining four techniques for foiling what they are now calling the Kaminsky Attack. I guess "cache poisoning" isn't glamorous enough. The techniques sound questionable, and the fixes only applies to their expensive, closed proprietary caching server. Nobody else benefits from this fix. So it's not a fix at all- it's as though they were claiming to have cleaned up a small volume of water in a large swimming pool. I suppose someone else could figure out how to implement the four defenses described in the article, if they seem worth the trouble.
At least one of them gave me a WTF moment:
"If a strange query comes from an authoritative server, Vantio establishes a secure connection to the server, cutting out the attacker, who is spoofing the IP address of the secure server.
Assuming they spin their Spidey web to the correct server, is there some reason to not always maintain this secure connection? That sounds like trying to put on your seat belt when you think a collision is imminent. This one sounds daft too:
"Nominum resists giving out the IP addresses of name servers (glue records) making attacks more difficult."
Now think about this- what happens when you hide name servers?
I have administered many a DNS server, but I am not a security expert, so I welcome enlightenment from you fine readers if my criticism is unwarranted.
Novell and ActiveX: Turbocharged Pitifulness
The Novell story is sad bad tale of You Can't Teach Some Dogs Anything At All. I quote:
"Secunia, which reported the bugs to Novell, counted at least eight vulnerabilities in the ActiveX control included with the Windows Vista version of the iPrint client, as well as several other flaws in another Windows Vista iPrint component...iPrint is Novell's implementation of the Internet Printing Protocol (IPP), and lets users use, install and manage printers through the browser."
First of all, iPrint sounds like Apple, but it is some kind of Frankensteinian CUPS mutation. But that's a minor nit compared to using ActiveX in a printer client. Do these people feed and dress themselves competently? Is there anyone on the planet who doesn't know that ActiveX is a finely-engineered pestilence that cannot be trusted under any circumstances? ActiveX has one purpose in life: allowing the installation and execution of remote code on a Windows system via Internet Explorer. ActiveX controls have unfettered access to the entire operating system. Using ActiveX is like rubbing yourself with bacon and flinging yourself into a hyena pack. There is no safe way to use ActiveX. Why it is even necessary for a printer client? The CUPS Web interface for Linux doesn't need ActiveX and it's worked fine for years. There is one for Mac too, which also doesn't need ActiveX, and both of them work in pretty much any Web browser. You don't need the match+flame duo of ActiveX and IE. In fact smart people avoid them like the toxins that they are.
Lest anyone think I am being too mean to poor old defenseless Novell and Microsoft, I recall ActiveX security advisories almost from its inception back in 1996 or so. What has changed since then, twelve years later? Nothing, as this random recent security bulletin shows:
"Microsoft has released Security Advisory (955179) to describe attacks on a
vulnerability in the Microsoft Office Snapshot Viewer ActiveX control.
Because no fix is currently available for this vulnerability, please see the
Security Advisory and US-CERT Vulnerability Note VU#837785 for workarounds."
So we need to revise the popular "fool me once" saying:
Fool me once, shame on you
Fool me twice, shame on me
Fool me thousands of times over many years...let's get married!"
Now why is it again that corporate participation is important to FOSS?