Monday, December 03, 2007
DNS hacked, again
Just a reminder that open source doesn't mean more secure. It can. But it doesn't have to.
Kind of scary that the bug has been there for 10 or 15 years.
Kind of scary that the bug has been there for 10 or 15 years.
Besides making sure your DNS servers are running up-to-date versions of DNS, I think Klein's findings bring up another interesting point. Open source advocates are always touting how open source software allows programming and security bugs to be found faster than with closed source software. It certainly makes sense – there's source code to review, and more eyeballs to review it. But as Klein's research shows, it doesn't make that much of a difference. In the 10 to 15 years that have gone by, nobody (publicly) found the bugs in either the closed source or open source versions inherently faster. Both errors went undetected for more than a decade until one person got interested in the research.
There are dozens of cases just like this, where open source bugs remained unfound for a decade or more, until one lone individual on their own personal quest did some digging. You can look at any of the popular protocols (such as SMTP, SNMP, HTTP, FTP, ASN.1, and so on) and find vulnerabilities that went undiscovered for over a decade. Heck, people are still finding problems in IPv4 packets that have been around for 20-odd years. And as far as I can tell, whether or not the product was open source didn't really play a part in the finding or the fix, albeit the open source fixes are consistently coded faster when the problem is located. What mattered most was a single person (or company) that cared enough to investigate. To the responsible bug disclosure people, I salute you!