Thursday, September 06, 2007

Bad (Security) Journalism

Given that the whole point of a Domain Name Service (DNS) servers is to direct computers from domain names to actual machines, this report seems to be missing the point (my emphasis):
A security researcher has found a serious vulnerability in Bind 8 forcing the software's maintainers to issue an advisory for users to upgrade to Bind 9.4, the latest version.

The flaw within Bind 8 software could misdirect users to a fraudulent wedsite (sic) even if a user typed in the correct URL wrote Amit Klein, chief technology officer for security vendor Trusteer. Klein discovered the problem.

There is actually a real problem, reference here in technical gobbledegook, which exploits a failing in a pseudo-random number generation (the transaction ID) to con the server into accepting spoofed authoritative responses, which it then caches and feeds down to the clients (i.e. your computer). Think of it as a technical equivalent of a CiF comments thread where some people actually believe the crud in the original posting because of the presumed 'authority' of the poster.


CityUnslicker said...

yikes - I don't understand a word of this!

Surreptitious Evil said...

That's okay. It took me a while to get a handle on hugely leveraged gambling (aka derivatives).

I really wouldn't look at the Trusteer white paper, though.

Bind is the most popular (and free) version of the software that turns a web address (URL) like "" first into the true name of the server that supports it ( and then into the IP address of that server ( so my computer can fetch and display your blog. And it's buggy.

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.