

DNS Drama Exposed (Dramatically) - olefoo
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky?currentPage=all

======
dangrover
The article is a lot more fun if you read it to yourself in the movie trailer
guy voice.

"In a WORLD where ONE MAN holds the KEY to the entire INTERNET!"

~~~
joe_adk
Don LaFontaine, recently deceased.

<http://en.wikipedia.org/wiki/Don_LaFontaine>

------
chris11
I realize this wired, but did they really have to dramatize it so much?. I
mean, come on, talking about the possibility of routing the entire .com domain
through his laptop? It sounded like something that Robert Ludlum would write.

~~~
tlrobinson
They also portray Kaminsky as a pathetic nobody working out of his lonely
apartment, when in reality he was already well respected before the DNS flaw
discovery.

~~~
pg
The device of having a despised outsider turn out to be a hero is extremely
common not just in sci-fi but in heroic tales generally.

What were the odds I'd get to say _that_ twice in one day?

~~~
icky
> What were the odds I'd get to say that twice in one day?

Just don't say it a third time, lest you create an unkillable meme...

~~~
JayNeely
The device of having a despised phrase turn out to be an unkillable meme is
extremely common not just in sci-fi but in heroic tales generally.

~~~
ncognito
With my special training program, anyone can turn 100 despised phrases into
unkillable memes, not just in Hacker News but in social sites generally.

------
nickb
_If the information in an email were accidentally copied onto a hard drive,
that hard drive would have to be completely erased, Vixie said._

Ridiculous. I doubt Vixie said that.

------
jbyers
I heartily recommend the author's previous work in Wired, "High Tech Cowboys
of the Deep Sea." A bit lower on the drama dial, still quite interesting:

[http://www.wired.com/science/discoveries/magazine/16-03/ff_s...](http://www.wired.com/science/discoveries/magazine/16-03/ff_seacowboys)

~~~
thenextweb
Lower on the drama? People get killed in that story, with the reporter
present! I remember that story very well. Made an impression on me. more
exciting than DNS flaws...

------
st3fan
I think this is a terrible article. Paul Vixie has done _nothing_ to fix this
situation. He certainly does not deserve the fame of the article.

Other DNS servers like DJB-DNS and PowerDNS have implemented proper port
randomization as part of their design a LONG time ago. As a result of that
those servers are completely unaffected by this DNS exploit.

Vixie and his Bind crew ignored the whole thing for a long time until it blew
up in their face. Now it it just an excuse to roll out the monster that is
called DNSSEC of course. Great marketing.

~~~
tlrobinson
Well, I'm no expert but it sounds like source port randomization is a bandaid,
while DNSSEC is the better lasting solution.

~~~
tptacek
DNSSEC is a debacle of epic proportions. It has taken over 13 years for that
one standards effort to solidify to the point where it is today, which is a
"secure DNS" protocol where there is still no real agreement on how to prevent
arbitrary people on the Internet from dumping the contents of your zone files.

I predict, without any real evidence to back me up, that DNSSEC is DOA for a
simple reason: the total Internetwide deployment of resolver libraries with a
"gethostbyname()" interface; none of these libraries can handle transient or
"soft" DNS security failures. SSL, a protocol that is far, far easier to
deploy and manage than DNSSEC, sees transient errors so often that users are
rebelling against the size of the error messages Firefox generates for them.
DNSSEC transient failures kill your lookup.

I can give lots of other reasons why DNSSEC isn't going to work, but that's
one you might not have thought of.

------
bprater
Does anyone have a link detailing the exploit? I'm not a DNS expert, so
something easily consumable would be great.

~~~
tlrobinson
Just ask tptacek, I hear he likes to talk about it ;)

(Thomas Ptacek in the article == tptacek on Hacker News)

~~~
tptacek
You just made my list, tlrobinson. One name. tlrobinson.

------
sireat
The author would probably make a pretty good screenwriter for Sneakers2. I
guess the dictionary word of the day is bombastic...

------
andr
Technical summary, please?

~~~
tlrobinson
There's not much technical in this article, just an overly dramatized account
of the history of this vulnerability.

Not exactly a "summary", but... [http://www.unixwiz.net/techtips/iguide-
kaminsky-dns-vuln.htm...](http://www.unixwiz.net/techtips/iguide-kaminsky-dns-
vuln.html)

