Why open-source DNS is 'internet's dirty little secret' (ZDNet) [LWN.net]

ZDNet is running an interview with Nominum manager Jon Shalowitz; it's an amusingly retro experience for those of us who have forgotten what 1990's-style security FUD looked like. "If I have a secret way of blocking a hacker from attacking my software, if it's freeware or open source, the hacker can look at the code. By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker." Needless to say, he is attempting to sell such a product.

to post comments

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 13:54 UTC (Wed) by stumbles (guest, #8796) [Link] (5 responses)

Oh boy, the old security by obscurity mantra. Apparently all the applications that run on Windows (any version), and specifically Windows itself has a lot to learn from Skype. I hideth my code, therefore it is safe.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:40 UTC (Wed) by smadu2 (guest, #54943) [Link] (1 responses)

Security through obscurity is not totally bad. If a security related flaw is reported in mailing list/bugs list etc then attackers have more time before a fix is made and the patches trickle in via distros to users. Its the one of the things OSSes have to live with.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:00 UTC (Wed) by dkite (guest, #4577) [Link]

The flaw with 'security through obscurity' isn't that somehow hiding things
is better or worse.

It is simply that it has historically allowed firms to not fix things. Or
put off fixing things to fit some marketing ideal.

Full disclosure of flaws was to humiliate vendors into fixing things.

Openness of code or procedures is a sign of confidence. That confidence will
always be tested in uncomfortable ways, which will result in a more secure
product.

Derek

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:33 UTC (Wed) by martinfick (subscriber, #4455) [Link] (2 responses)

Closed source hardly means obscurity anyway. Does he think decompilers don't exist? Closed source simply means a likely higher "evil eyes to good eyes" reviewing ratio, the good eyes are lazier and don't often waste their time with decompilers.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 16:29 UTC (Wed) by drag (guest, #31333) [Link] (1 responses)

Yes. Having the source code hidden just means that your creating a barrier
for understanding how the software works, but it is not a effective
prevention.

The attacker still has access to the entire program's code (in machine code
format) and is able to learn how the program works through a wide variety of
techniques (decompiling, observation)

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 28, 2009 9:02 UTC (Mon) by Kamilion (subscriber, #42576) [Link]

I feel somewhat obliged to point out something:

Nobody has publically admitted to having a working skype protocol library.

They have such an impressive thicket of hammy traffic generation, firewall-jumping, binary obfuscation, hidden imports, debugger traps, dummy code, and polymorphic checksumming that taking it apart has been taking YEARS.

So far, the only scare has been some chump using the skype client's exported API to silently record calls and chat the same way some of their commercial plugins are capable of doing.

Occasionally when you throw crypto and a couple hundred spanners into the reverse engineer's gears, even security by obscurity can win for long enough to matter.

Frankly, I'm surprised more folks didn't poke at taking apart the embedded ARM binaries for something like the SMC WSKP-100, as I doubt it's 200Mhz processor could handle much in the way of obfuscation. Theoretically, it would be a lot easier to run a small ARM emulator for some of these skype-to-voip solutions like OpenSky, as the WSKP-100 only has 32MB of RAM and 16MB of flash. The native skype client takes up more running memory and disk than that!

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:05 UTC (Wed) by ledow (guest, #11753) [Link]

So, the people who originally wrote BIND9 have made a cloud-based spinoff, of which the general manager is now trying to imply that all open-source software is inherently insecure by virtue of being open-source.

If I were working at Nominum, I think someone might have got a phone call in their office tomorrow. It might be a LONG weekend for them. Not because they think that way, or work on the non-open-source side, but because it's so inherently incorrect and, by announcing it so poorly, that they've managed to condescend one of their own products (that they admit they founded their parent company for).

Apart from that, though, it is just sheer stupidity. For a start, we don't know for sure that it isn't the exact same BSD code at the heart of their (closed source) product! It's bad marketing at best, complete rubbish at worst.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:08 UTC (Wed) by ahu (guest, #4298) [Link] (2 responses)

Some more on this, including links to discussion on the dns-operations mailing list can be found here.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:54 UTC (Wed) by nix (subscriber, #2304) [Link] (1 responses)

From that wonderful dns-operations thread, it seems that half Nominum's DNS servers run, uh, BIND, and their website relies upon Apache.

(But then this is marketing hype. They're not *supposed* to believe it themselves.)

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:34 UTC (Wed) by aorth (subscriber, #55260) [Link]

Haha, we don't know for sure it's really BIND and Apache... they could be
faking their signatures to fool script kiddies. Security through obscurity!

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:19 UTC (Wed) by Baylink (guest, #755) [Link] (12 responses)

Well, security by obscurity is *some* security, it's just that it's not *enough* security, and if you decide to use it, then you forfeit the "with enough eyeballs, all bugs are shallow" approach to debugging.

I tend to be nervous about people whose knees jerk in *either* direction, myself.

And, um... what are the roots and the GTLD servers running these days? :-)

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:57 UTC (Wed) by ikm (guest, #493) [Link] (2 responses)

One huge problem with the security by obscurity is the false sense of security the proponents of the approach are trying to affirm so desperately. Without that, it turns to just *some* security, but *with* that you get something which completely clouds (and clogs) minds of many people to the point that it becomes a major security concern by its own.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:57 UTC (Wed) by NAR (subscriber, #1313) [Link] (1 responses)

One huge problem with the security by obscurity is the false sense of security the proponents of the approach are trying to affirm so desperately.

Isn't it exactly the same with the "many eyeballs" approach? Just look at the recent NULL-pointer problems with the Linux kernel.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 17:36 UTC (Wed) by quotemstr (subscriber, #45331) [Link]

How many similar problems are lurking in commercial software? Recall the surge of Windows security problems after the leak of the 2000/NT4 kernel source a while back.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 16:23 UTC (Wed) by nix (subscriber, #2304) [Link] (8 responses)

Certain classes of security by obscurity *work*. e.g., choosing to use a firewall running a rare architecture will probably protect you from Intel-based shellcode attacks.

Unfortunately this only works to shift the probability of *your* being attacked: other people will be attacked a bit more in exchange, and if everyone did what you're doing, the rare architecture would no longer be rare so this wouldn't work. So this doesn't scale.)

(Hm. Continuing on this tangent, hat might scale for source-based distros is a tool which generates a modified QEMU which has all the standard x86 instructions only with the opcodes randomized and padding increased randomly (to foil return-to-libc attacks), and a modified binutils and GCC to emit code for such an architecture: so everyone using this tool gets a different random 'architecture'. However it's probably not hugely effective or someone would have done it, so this mad idea is probably a waste of time.)

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 16:44 UTC (Wed) by jzbiciak (guest, #5246) [Link] (3 responses)

Certain classes of security by obscurity *work*.

Indeed. Obvious example: Passwords. :-)

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 18:03 UTC (Wed) by tzafrir (subscriber, #11501) [Link]

Passwords should be easy to change.

Relying on obscurity as an extra layer is fine. You normally don't allow random people to list all names in a DNS domain. Though in just about any case the network should be safe even if an attacker managed to list the zone file.

If you rely on the fact that the user won't happen to find some backdoor you added to make things convenient, you rely on obscurity. Fixing this will probably require changing code. If you rely on the (local and remote) users not to find some security hole you had trouble plugging (and choose not to publish), you're relying on obscurity.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 12:19 UTC (Thu) by shane (subscriber, #3335) [Link]

Certain classes of security by obscurity *work*.
Indeed. Obvious example: Passwords. :-)
Passwords are not security through obscurity. In that case, the password is the key (in the cryptographic sense).

http://www.schneier.com/crypto-gram-0205.html#1

Obscurity would be designing a system requiring passwords be entered in uppercase on odd numbered days, and lowercase on even numbered days. It adds security only when the system itself is not understood by an attacker. Once you know the "obscure" technique, then it adds little or no extra value.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 13:58 UTC (Thu) by Baylink (guest, #755) [Link]

As Shane notes, passwords are not an example of security-by-obscurity, because passwords are a *key*; keys must always be kept secret in any such system.

The question is whether you gain any additional security by keeping secret *how the key is used to secure the system*, which is *not* a part that must inherently must be itself kept secret.

Because you have that choice, you have to weigh the alternatives. The general opinion of security professionals is that the security you gain from SBO doesn't generally outweigh that which you get by having many other security professionals who do not work for you hammering on the code.

In short: while Nominum's code may not have been *successfully* attacked over the period they claim, that's a different issue from whether there *are* any attacks which might successfully be conducted on it. There are; I guarantee you. Who will know about them first?

Well, it's a tossup...

If the bad guys are clever and subtle enough (not a trait Bad Guys have traditionally been known for), then the first people who might find out are end-users who have been scammed into giving away their credit card or identity info, or ... I dunno, HIV status? ... to the bad guys.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 2:58 UTC (Thu) by njs (subscriber, #40338) [Link] (3 responses)

> However it's probably not hugely effective or someone would have done it, so this mad idea is probably a waste of time.

There's research on exactly this idea; I believe the original paper is http://portal.acm.org/citation.cfm?id=948109.948147

I suspect that if one made it run at plausible speeds (which may not have to be that fast for your average DNS server) and *packaged* it as an out-of-the-box solution, then people would use it.

In practice I don't know how much better it is than NX and address space randomization, which are a lot cheaper.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 6:38 UTC (Thu) by johill (subscriber, #25196) [Link] (1 responses)

It seems like it'd probably be much easier to emulate anything but x86, since you're not going to benefit from hw virtualisation, and x86 instructions are a pain to decode.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 9:39 UTC (Thu) by nix (subscriber, #2304) [Link]

True enough. First thing to do is benchmark a bunch of QEMU arches. I just picked x86 because QEMU's x86 support is pretty much guaranteed to work well... (but probably the instruction decoder is correspondingly irregular thus hard to randomize effectively.)

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 10:10 UTC (Thu) by nix (subscriber, #2304) [Link]

For those of us without an ACM account, there's a copy available on the author's site.

It's a much better design than what I suggested, using a modified valgrind to provide a different random instruction set to each process, doing it as late as possible (s2.2 discusses the tradeoffs here), so that the same instruction will be randomized to different things at different points in the image. Downsides: valgrinding everything is very definitely expensive, executed shared library text becomes nonsharable, and alignments are not adjusted so there is no additional defence against stack-smashing attacks (but the stack-protector canary gives a randomization-based defence there, and you can surely use both at once).

Oh, and a silly one: the randomness is generated by sucking as many bytes out of /dev/random as are in the program text, which is nuts: they should suck a small amount out and use it to seed a strong PRNG of their own.

The code uses valgrind but predates VEX, unfortunately. Porting it to a more modern valgrind might be interesting.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 14:29 UTC (Wed) by nye (guest, #51576) [Link] (5 responses)

Gotta give them credit. If you're going to come up with FUD about 'open source' meaning 'inherently insecure', you can't get a much better poster child than BIND.

Funnily enough, there's no mention there of djbdns :P.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:01 UTC (Wed) by DOT (subscriber, #58786) [Link] (4 responses)

I'm sorry, but how can you have studied the effects of free software on security long enough to know that it is allegedly flawed, while at the same time not know that 'freeware' is not the correct term to describe such software?

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:01 UTC (Wed) by DOT (subscriber, #58786) [Link]

The above was not a reply to the above the above.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 15:36 UTC (Wed) by martinfick (subscriber, #4455) [Link] (2 responses)

One might think that the term freeware was used deliberately to obscure?

'freeware'

Posted Sep 23, 2009 15:59 UTC (Wed) by epa (subscriber, #39769) [Link] (1 responses)

Yes, I haven't heard the term 'freeware' used for a while. It tended to be used by management / PR types at proprietary software companies.

'freeware'

Posted Sep 23, 2009 17:43 UTC (Wed) by quotemstr (subscriber, #45331) [Link]

"Freeware" is almost as clear a signal of clueless management-speak as the phrase "going forward".

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 16:20 UTC (Wed) by orev (guest, #50902) [Link]

This kind of thinking is still pervasive in most business settings, especially in any industry not related to software. Don't discount this as "old style" thinking, otherwise you'll find yourself unprepared when faced with these kinds of questions in the future.

What DNS server do they use?

Posted Sep 23, 2009 16:45 UTC (Wed) by mel (guest, #5484) [Link] (1 responses)

This was pointed out to me by a friend that works in a hosting agency.

$ fpdns ns2.nominum.net
fingerprint (ns2.nominum.net, 81.200.68.218): ISC BIND 9.2.3rc1 -- 9.4.0a0

Cue sarcastic clapping.

What DNS server do they use?

Posted Sep 25, 2009 18:07 UTC (Fri) by oloryn (guest, #7408) [Link]

Well, they seem to have jumped on it. Someone there is paying attention:

$ fpdns ns2.nominum.net
fingerprint (ns2.nominum.net, 81.200.68.218): Nominum ANS

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 23, 2009 21:12 UTC (Wed) by spiro (guest, #54657) [Link]

"You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside."

This comment completely contradicts everything else he said. In fact, that statement supports the concept of open software.

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 1:13 UTC (Thu) by divide_by_zero (guest, #60957) [Link] (1 responses)

I would say this is unbelievable, but I just had an argument with someone the other day that says open source should be avoided by the military because your enemy would then have sensitive information about your equipment.

I think anybody who thinks this does not code. If it were easy to find holes at programs, or "Achille's heels", by looking at the source code, the programmers would look and fix them. It's easier to find problems and exploits by running "stress tests" with the programs, compiled. You only really need to check the code to fix it, or to understand exactly what is going on. That doesn't matter much for an attacker. He might only be interested to see how to fully exploit a bug, for example...

Why open-source DNS is 'internet's dirty little secret' (ZDNet)

Posted Sep 24, 2009 6:58 UTC (Thu) by philipstorry (subscriber, #45926) [Link]

And more importantly, the source code is not the binary instruction stream.

A bug could easily be introduced by the compiler. It's happened before, it'll happen again.

You could turn off all optimisations in the compiler, but even then you still have no way of knowing whether or not the code the compiler uses for basic language statements/functions (like printf) is sound.

(Well, if it's open source you can check. But a total open source stack, including the compiler, libraries, OS, BIOS and hardware firmware would total many millions of lines of code to check. Have a nice rest of your life whilst you do that...)

Anyone who thinks that source code magically disgorges bugs when you look at it is living in cloud cuckoo land, and really underestimating the complexity of software.

I was going to say modern software, but it then occurred to me that nothing I've written couldn't have applied in the 1970's either. The more things change, the more they stay the same...