Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Comments re ISC's announcement on bind9 security

from [Network Protocol Security] Network Security [Permanent Link]
Subject: Comments re ISC's announcement on bind9 security
Date: Mon, 29 Oct 2007 21:43:10 +0200 
BugTraq

I found this ISC announcement quite amusing:
http://www.isc.org/index.pl?/sw/bind/docs/response_transaction_id_issues.php
It's a text published by ISC as a follow up to the bind9 predictable id saga.

Particularly the following statement is funny, and shows complete lack
of understanding of the terminology and of the problem space:

'ISC would like to assure the Internet community that this is much
less an issue of using "extremely weak crypto" as it has been
described, than the use of a random number generator that did not
provide sufficient randomness.'

My understanding is that they used a pseudo random number generator in
bind9, and when you use a pseudo random number generator (whose
sequence in this case is predictable after observing about a dozen
outputs) instead of a strong cryptographic algorithm whose sequence
cannot be practically predictable, how do you call this? right -
"extremely weak crypto".

The irony is that statement is found in a text intended to instill
trust and reassure the bind9 users that ISC digs security...

(another mistake in the ISC announcement is right at the top of the
page, where it reads "In June of 2007, a problem regarding Transaction
ID generation in BIND 9.4.1 (and prior) was reported to Internet
Systems Consortium (ISC) engineers." but according to Trusteer, they
reported it on May 29th:
http://www.trusteer.com/docs/bind9dns.html#chapter_4)
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  rPSA-2007-0225-2 firefox thunderbird, rPath Update Announcements
Next by Date:  Heap overflow in RealPlayer ID3 tag parser, NGSSoftware Insight Security Research
Previous by Thread:  rPSA-2007-0225-2 firefox thunderbird, rPath Update Announcements
Next by Thread:  Re: Comments re ISC's announcement on bind9 security, Shane Kerr
Indexes:  [Date] [Thread] [Top] [All Lists]