Re: Apple make James Taylor happy
- From: usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx (James Taylor)
- Date: Sun, 10 Aug 2008 10:38:45 +0700
Jaimie Vandenbergh <jaimie@xxxxxxxxxxxxxxxxxxxxx> wrote:
Hey ho. Still, since Bind isn't enabled on OSX client by default,
there's still no local attack surface except in the vanishingly rare
case of people enabling Bind themselves and not having heard about the
current problems.
Sure, you can't attack a caching resolver on a machine that's not
running one. But you're wrong to say there's no vulnerability on the
client. There are all manner of ways for the client to fall victim to
DNS cache poisoning. Even Microsoft grok this. It would be a huge help
if Apple would follow Microsoft's lead and fix the client too (after
they eventually fix the server properly of course). As far as security
goes, Apple aren't just sleeping on the job, they're sleeping at the
wheel and careering off the road taking us all with them.
The Kaminsky discovery affects everyone because it is inherent to the
way that DNS works. In fact, even the source port randomisation patches
only delay the inevitable. Hackers can still have a guaranteed ability
to poison a resolver's cache, it'll just take them longer. However, with
the endless march of progress bringing increases in bandwidth and
processing power, it won't be long before that's not enough either.
Everything depends on DNS, so the ramifications are serious and very
widely spread. The problem is inherent to the protocol itself. And you
can't fix a protocol that the Internet depends on without a major
re-think and re-implementation that could take years to put into place.
Look at the underwhelming progress that's been made on DNSSec for
evidence of that.
If you're not convinced by anything I have to say, all you have to do is
go and read Dan Kaminsky's presentation that I've already linked to
several times. I've wasted enough time trying to convince this
ungrateful group they're affected. I suppose I shouldn't be surprised
given the attitude of blind faith and irrational delusions of
invulnerability I've seen expressed here in the face of Apple's
appalling track record of previous security failures.
Oh, and when is that rude O'Shea't going to learn to use Google to check
my claim about OpenDNS redirecting Google to their own servers where
they run a proxy (effectively a man-in-the-middle between you and
Google) that has full access to your Google tracking cookie and search
terms? I hope that when he finally gets off his arse and checks that
he'll then come back and give me a grovelling apology. I've wasted
enough time on him myself and, given his unprovoked hostility, I don't
feel he deserves my help in the first place.
--
James Taylor
.
- Follow-Ups:
- Re: Apple make James Taylor happy
- From: J . J . O'Shea
- Re: Apple make James Taylor happy
- From: Jaimie Vandenbergh
- Re: Apple make James Taylor happy
- From: Jaimie Vandenbergh
- Re: Apple make James Taylor happy
- From: Jaimie Vandenbergh
- Re: Apple make James Taylor happy
- References:
- Apple make James Taylor happy
- From: Jaimie Vandenbergh
- Re: Apple make James Taylor happy
- From: James Taylor
- Re: Apple make James Taylor happy
- From: Jaimie Vandenbergh
- Apple make James Taylor happy
- Prev by Date: Re: MS Word problem when save as
- Next by Date: Re: Apple make James Taylor happy
- Previous by thread: Re: Apple make James Taylor happy
- Next by thread: Re: Apple make James Taylor happy
- Index(es):
Relevant Pages
|
Loading
