Re: Comments re ISC's announcement on bind9 security

[Tim <tim-security () sentinelchicken org>]

Hi Shane,

> It shouldn't cause any performance issues to do a refresh every few seconds,
> although I would think you'd be better off simply using a larger pool. I haven't
> tested it, but you should be able to set the pool size to 16384 for that magical
> 30 bits of entropy you want (you probably want to set the refresh to a very
> large value in this case).

Does BIND choose those ports in a cryptographically secure way?  Can it
be configured not to re-use a socket for multiple queries in a row?  Not
sure what the current algorithms are... please pardon my ignorance.  If
BIND is reusing bound UDP ports for multiple queries in a row, then that
definitely reduces the entropy.


> I'm sorry you're frustrated. There are a lot of ways you can change the
> direction of ISC development. Firstly, you can submit source code - we like that
> one especially. Secondly, you can fund development, and have us develop code
> that you need or want done. Thirdly, you can join the BIND Forum and give us
> recommendations and feedback there. Or forth, you can simply ask us.

Well, under normal circumstances I might consider contributing code or
helping you get your collective security act together.  However, other
ethically-questionable practices that the ISC engages in pretty much
prevent that from ever happening.  

In particular, your organization charges for early security
vulnerability information.  I personally feel that creates a huge
conflict of interest.  You produce a product.   If there are
vulnerabilities in that product, you boost revenue from your early
notification program, since users will be incented to join the members
program. Hmm...  Sounds like one fine line away from a protection
racket.  What stops any random "evil hacker" from joining this program
as a sponsor and using that information to attack BIND users who aren't
in your special club?  Nope, sorry, no contributions from me.

The information about using randomized source ports has been around for
ever in multiple public forums.  If the ISC wanted to make a more secure
product they would have drawn from these sources long ago.  

> Don't worry, I don't take it personally. I've been working in technology enough
> to know that people tend to flame first, and ask questions later. I don't like
> it, and I wish it wasn't part of the techy culture, but there it is.

For the record, I did ask questions first before making wild
allegations. ;-)

tim