|
Posted by Barry Margolin on June 25, 2007, 9:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Barry Margolin wrote:
>
> > But it doesn't make OpenDNS a security hole for the people who DO want
>
> > to make use of its features.
>
> And doesn't have to, because it already is one.
>
> > If you have antivirus software, do you maintain all the signatures
> > yourself, or do you let it download them from the AV vendor
> > automatically? Even if YOU maintain it yourself, do you think that 90%
> > of computer users could do this competently?
>
> And what exactly does antivirus software have to do with security? Beside
> introducing vulnerabilities?
It seems like you have a completely different idea of computer security
than most of the rest of us. If we're not talking the same language, we
can't have a reasonable discussion, so I give up.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
|
Posted by Sebastian G. on June 25, 2007, 11:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Barry Margolin wrote:
>
>> Barry Margolin wrote:
>>
>>> But it doesn't make OpenDNS a security hole for the people who DO want
>>> to make use of its features.
>> And doesn't have to, because it already is one.
>>
>>> If you have antivirus software, do you maintain all the signatures
>>> yourself, or do you let it download them from the AV vendor
>>> automatically? Even if YOU maintain it yourself, do you think that 90%
>>> of computer users could do this competently?
>> And what exactly does antivirus software have to do with security? Beside
>> introducing vulnerabilities?
>
> It seems like you have a completely different idea of computer security
> than most of the rest of us. If we're not talking the same language, we
> can't have a reasonable discussion, so I give up.
Well, if you don't want to proclaim that virus scanners could provide
reliable protection against viruses (which they can't, by design), then your
point is obviously moot. And if you want that, then should better reconsider
the definition of security.
Now, you almost no user did AV software actually provide any measurable
benefit. At best it just stretches the time until the systems become
infected anyway, or rather delude the detection of the compromise. It can't
provide any means to secure a chronically insecure system.
At any rate, stop telling nonsense. OpenDNS does modify DNS replies without
your strict control (thus you can't see if they actually adhere to the
configuration you provided and not modify much more, or way less, or in a
different way), and it definitely breaks root-delegation. In comparison to a
non-defective stub resolver (as most people use), and unmodified
caching-only name server (as most ISPs provide) or especially an own name
server (as competent users run), this is definitely a decrease in security.
And, whether you like it or not, using the additional crap features
intentionally makes the protocol violation even worse. But I guess you don't
understand the technical means of the difference between NXDOMAIN and
SERVFAIL in terms of a DNS resolver, so better asks the guys who had to
fiddle with the consequences of VeriSign's SiteFinder attack.
|
|
Posted by Barry Margolin on June 26, 2007, 12:00 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Well, if you don't want to proclaim that virus scanners could provide
> reliable protection against viruses (which they can't, by design), then your
> point is obviously moot. And if you want that, then should better reconsider
> the definition of security.
Security is not an absolute, it's a continuum. Virus scanners are not
total protection, but having them is better than not having them.
> At any rate, stop telling nonsense. OpenDNS does modify DNS replies without
> your strict control (thus you can't see if they actually adhere to the
> configuration you provided and not modify much more, or way less, or in a
> different way), and it definitely breaks root-delegation. In comparison to a
> non-defective stub resolver (as most people use), and unmodified
> caching-only name server (as most ISPs provide) or especially an own name
> server (as competent users run), this is definitely a decrease in security.
I don't use OpenDNS myself. But I know that many people use it because
they've had reliability problems with their ISPs' nameservers, and
they've found OpenDNS's track record to be better.
As far as I understand it, OpenDNS only rewrites names as part of its
typo-correction feature. I think this is what you're referring to by
"breaks root-delegation". But I assume it only corrects names that
don't exist, so there's no harm done. And this is a user-selectable
option -- if you want normal root delegation, don't use it.
Are you really claiming that even if you turn off all the options that
modify DNS responses, that OpenDNS still interferes with DNS lookups?
Or are you just spreading FUD because they *could* do so. Well, so
could ISPs, and so could the Internet root or GTLD servers. In fact, a
few years ago the GTLD servers DID do this -- Network Solutions
implemented a "feature" where nonexistent domains were redirected to
their search page. This affected practically all ISPs, not just users
who opted into a particular service.
So just about any use of DNS is a security problem -- you're implicitly
trusting the operators of all those servers to do what we expect.
Whether OpenDNS is more or less secure depends on your personal needs
and expectations.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
|
Posted by Sebastian G. on June 26, 2007, 12:30 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> Well, if you don't want to proclaim that virus scanners could provide
>> reliable protection against viruses (which they can't, by design), then your
>> point is obviously moot. And if you want that, then should better reconsider
>> the definition of security.
>
> Security is not an absolute, it's a continuum.
Security also has various properties, one of the is *reliability*. Something
that virus scanners are lacking, by design.
Now, just write a virus. It will infect systems until someone detects it,
submits it to an AV vendor, who then creates and delivers a signature. In
the meantime, you're hosed.
Oh, and then write one that constantly modifies itself by reordering its
instructions based on a keyed CSPRNG. Trivially this will bypass any
signatures and behaviour detection.
Well, do I have to mention that the real solution against viruses is a
no-exec policy, thus only running applications from a whitelist? Trivial,
practicable, reliable, secure.
> Virus scanners are not
> total protection, but having them is better than not having them.
Interestingly I can clearly verify that the contrary is true on this machine.
infections without virus scanners: 0
vulnerabilities without virus scanners: 0
infections with virus scanners: 0
vulnerabilities without virus scanners: well, just KAV alone would provide
13 vulnerable kernel hooks...
So, you think that introducing new vulnerabilities to a very secure system
makes it better? Better wrt. to which criteria?
> As far as I understand it, OpenDNS only rewrites names as part of its
> typo-correction feature. I think this is what you're referring to by
> "breaks root-delegation".
Well, that's the consequence.
> But I assume it only corrects names that don't exist, so there's no harm
> done.
Well, this is definitely harm, because it will even "correct"
www.i-dont-exist-coz-i-was-spetl-wrong.com.
> And this is a user-selectable
> option -- if you want normal root delegation, don't use it.
Breaking root delegation is imposed for all recursive queries, and even
explicit delegation is broken due to the inaccurate replies.
> In fact, a few years ago the GTLD servers DID do this -- Network Solutions
> implemented a "feature" where nonexistent domains were redirected to
> their search page. This affected practically all ISPs, not just users
> who opted into a particular service.
Guess that's why you should want root-delegation-only, and why they got
slammed by ICANN. And with OpenDNS you'd practically make this problem apply
to all your queries, not just one single gTLD. Excellent idea!
|
|
Posted by Barry Margolin on June 27, 2007, 1:04 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Barry Margolin wrote:
>
> >
> >> Well, if you don't want to proclaim that virus scanners could provide
> >> reliable protection against viruses (which they can't, by design), then
> >> your
> >> point is obviously moot. And if you want that, then should better
> >> reconsider
> >> the definition of security.
> >
> > Security is not an absolute, it's a continuum.
>
>
> Security also has various properties, one of the is *reliability*. Something
> that virus scanners are lacking, by design.
>
> Now, just write a virus. It will infect systems until someone detects it,
> submits it to an AV vendor, who then creates and delivers a signature. In
> the meantime, you're hosed.
Without the AV software, you're hosed forever. Which is better?
>
> Oh, and then write one that constantly modifies itself by reordering its
> instructions based on a keyed CSPRNG. Trivially this will bypass any
> signatures and behaviour detection.
>
> Well, do I have to mention that the real solution against viruses is a
> no-exec policy, thus only running applications from a whitelist? Trivial,
> practicable, reliable, secure.
But since the OS doesn't do that, you need other protection. As an end
user you can't change the OS policy, you're stuck with it. You need a
solution that works within its limits.
Should we stop trying to develop cures and vaccines for STDs because the
real solution is to not have sex with people with STDs? Sometimes you
have to live with the fact that the "real solution" isn't going to
happen, and you make do with a "good enough" solution.
And the "no-exec" policy will only protect you from malware based on
executing applications. It does nothing to protect you from phishing
sites. And a whitelist only works if you know what programs to allow.
What about a trojan that looks like a desirable program? If it's
masquerading as a game you want to play, you'll put it on the whitelist
(that's the very definition of a Trojan Horse).
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
|
XML site map