Jeff Moss
(Credit: Darington Forbes)Like many young hackers, Jeff Moss got his start copying computer games, learned how to program, and began to explore the world through a modem.
Unlike many young hackers, Moss has managed to turn his computer and social-networking skills into a business. He founded Defcon, the first major hacker conference and the largest in the world, as well as Black Hat, its more corporate counterpart. And now he is helping the U.S. government, as a member of the Homeland Security Advisory Council.
Moss talked to CNET News during National Cyber Security Awareness Month about his digital coming-of-age and how Google, Yahoo, Facebook, and other sites are putting consumer privacy at risk and jeopardizing social-justice movements around the world.
This is the final installment of a two-part Q&A with Moss. Part 1 ran on Friday.
Q: When you first started Defcon, that was what year again?
Moss: Ninety-two, '93. I think I started planning in '92 and it happened in '93.
So, things were different then. Can you talk about how the landscape has changed and what the real threats are now?
Moss: I'd say the biggest change is just that money got involved and once money was involved it changed everything. Actually that's not true. Technology grew up. So two things: money and technology. Technology grew up and a lot of the original motivations for hacking sort of changed, at least for my generation. When Internet access is essentially free and Unix is free and phone calls are essentially free and pennies on the minute, not dollars on the minute, why do you need to steal a phone call when it's free? Why do you need to break into a university to read man (manual) pages on Unix when you can download free security guides online?
You had to work so hard to learn something, and once you learned it you felt like it was yours. You made it yours by discovering it and figuring it out and sharing it with your friends. But now it's basically just handed to you on a Google search page so that motivation is just different now. Now it's not a question of figuring out how the SS7 phone switching network works. You can download 50 documents that tell you how it works. It's more about now the information is basically free what do you do with the information? How do you use it? Before it was about the quest for information; just getting your hands on the information was a victory.
As soon as people started making money on the Net...during the dot-com boom, that's when you could see the impact. Everybody needed somebody with Internet skills. And at that time it was hackers and early adopters. So all the early adopters could go out and get paid for their hobbies. That changed the nature of it too. It became a job as opposed to a hobby. When the criminals finally caught on that there was some real money with low risk and potential high reward...once nation states and organized crime groups got involved, that was the end of the age of innocence. It happened really quickly; 10 years or so. It used to be that you could probably defend against the bored college student and a couple of his buddies and you could do some defensive maneuvers and watch your log and know when somebody is poking around (your network) and have a pretty good handle on things.
Audio
Jeff Moss
This is an edited audio version
of the interview with CNET's Elinor Mills.
Download mp3 (3MB)
But the amount of noise and the amount of scanning and the amount of resources that people can put against you now, its kind of...(laughs) I used to always say that large governments, military, and an EDS or a Microsoft, they've got the in-house talent to defend themselves and the budget to do it if they have to. But the SMBs, the small and medium businesses, they don't have the talent or the budget or the experience, so those poor companies are at a disadvantage in this kind of world... The technology hasn't matured to where you just plug it in and it works. You still need a certain amount of high-end talent if you want to be secure. So we're not at the point where you buy a car and you've got the air bag. We're not there yet. Every year the bar keeps getting raised and it's a little bit harder to break in. But that just means that the better-funded organized crime groups and governments could potentially be the last ones left standing. And when the attacks get so sophisticated and so subtle your average sec guy is not going to necessarily have the computer skills to protect against it.
Is that an argument then for managed security services?
Moss: Hmm. Do you mean something like a Counterpane, the sort of centralized log management where they analyze everything?
Yeah.
Moss: That's essentially (similar to the idea of putting) your eggs in less baskets and have experts watch the logs. The DHS (Department of Homeland Security) is trying to do that with Einstein. It seems like that's a rational response to the problem. I'll have to think about that. The problem is by the time they notice something is the damage already done if they're infiltrating secrets, say, versus defacing your home page? If you look at the nature of the problems the organized crime groups generally want money and the government wants secrets and they go about their business differently because the goals are different. Maybe centralized services like that work better against one group than the other.
How did you first get into hacking and on to computer security? What got you interested in all this?
Moss: It was kind of random. My dad was a doctor at the University of San Francisco and the university was offering some discount if you bought an IBM, you could get it at some kind of educational discount...so they bought a pretty expensive computer back then for me and my sister to play with.
How old were you?
Moss: I was right around 12 or 13.
And you are how old now?
Moss: Thirty-nine. And my sister wasn't interested in it. She ended up getting into music and it turned into my computer instead of the family's computer. I started off as a software pirate. You're 13 years old and your buddy gets a game for his birthday and I've got a game and there just weren't that many games on the PC back then. You could either just straight copy the game or if there was some sort of copy protection you saved up and bought a copy of 'Copy to PC' and you could copy each others' games. You would try to figure out why did that work. There wasn't a whole lot of programming books back then so I learned BASIC and I started learning assembly language.
And then to upgrade the machine you had to learn how to take apart the machine and it was much cheaper to buy memory and install it yourself than to buy a memory card. I had no money as a kid. So there were these overclocking kits you could buy for like $50 or $60. You could overclock your CPU to make it go 30 or 40 percent faster. Instead of going something like 6.55 or whatever megahertz, you could make it go 8 megahertz and that was awesome. So then you would figure out why does that work? What's going on there?
And then the huge revelation for me was getting a modem. Once I got an acoustic coupler modem, a 300-baud modem, that was the beginning of the end for me because all of a sudden I got to communicate (with others online). It started with my friends who had modems and I would use them over at their house and eventually I saved up and got my own. And you would be on these message bulletin board systems talking with people in the Bay Area. They didn't know your age or your gender or your education or anything and you're having conversations with grownups about grownup topics, drugs, technology, music, whatever it is. The sort of conversations you didn't have with your parents. You could overhear other people having conversations about (things). It was this great glimpse into the bigger world that was out there. And that really opened up my eyes. It was different from what we talked about at school. It was different from what you talked about with your friends, your parents. It was a whole other world and it just made you want to find more and more bulletin boards and more and more people. And that led to phone phreaking, trying to figure out how the phone systems worked and how to call longer distance and the cheapest way to do it. It was that exploration.
And it was all very random for me. I knew about the phone systems because I ran a bulletin board and I spent a lot of time dialing long distance to get onto different bulletin boards. And I knew about software programming but I didn't really know about hacking until a chance encounter with someone. And he had the opposite experience. He didn't know anything about phones and he didn't know anything about copy protection or reverse engineering that way, but he knew all about hacking. He knew all about networking, which is something I didn't know about because I didn't have a network in my house. Everything was point-to-point dial-up. Nothing was a network. So through him I learned about networking.
Things happened in my life at certain times. Very random. It was luck. I was lucky my parents bought that computer. It was lucky I learned about the modem and lucky I ran into that guy who taught me about hacking. I would love to say it was some master plan on my part, but it was a happy set of circumstances.
That reminds me of the Malcolm Gladwell book "Outliers" that I'm reading right now. It's very relevant to what you're talking about--that it's not just intelligence, but also opportunities that give people the ability to accomplish things.
Moss: Is that the book that talks about the 10,000 hours (the amount of time it takes to practice something in order to become a success at it)?
Yes.
Moss: Somebody told me about that and I totally believe it. If I think about it, I put in thousands and thousands and thousands of hours just talking to people and reading and programming and screwing around with computers and trial and error on phones and everything until it became sort of second nature. If you think about people who are really good with musical instruments, they put in tens of thousands of hours. Or (people) working on cars. I have a friend who is fantastic car guy and he grew up with a wrench in his hand. He innately understands how mechanical things work.... (These people) see the world differently (and have) developed a sixth sense toward it.
Do you have a sixth sense toward hacking?
Moss: Well, you have a sixth sense toward looming problems. Somebody announces an (integration) project and you just think to yourself "Oh, that's going to be a problem. How are they going to do that?" From a technology standpoint how are they ever going to get all those systems to work and from an HR or organizational standpoint, you just know it's not going to happen...
In the back of my head I wonder if we haven't embraced the Internet technologies (too) quickly. If you're going to touch these critical systems you need a different mentality. You need a different skill set. I don't know. For example, SCADA (Supervisory Control and Data Acquisition) systems are starting to be hooked up to Web interfaces and it makes central management really easy and it makes understanding and visualizing the process flow information really easy. So the managers hear that and think cost savings and ease of management and ease of visibility. I hear that and I think "Whoops, that's going to be a problem." You're joining these two networks with Web protocols that are essentially inherently insecure or are difficult to secure and then you go and listen to Moxie Marlinspike talk about the problems with SSL and you think to yourself, "That's a problem." You just get a sixth sense about things like that.
So we've covered a lot of ground here. Is there anything else to discuss about computer security, cybersecurity, your background?
Moss: I have a current rant I've been going on about. It's my low-hanging fruit rant. Six months ago there was an open letter to Google asking them to please make everything HTTPS (Hypertext Transfer Protocol Secure) by default and I was a signer on that letter. It was another one of those (proposals that) made total sense. Why isn't there a push to just make everything HTTPS by default? Because everybody's browsers work with it. Computers are fast enough now. Home PCs are fast enough that the extra encryption doesn't even faze them. Why not start getting rid of HTTP and moving to HTTPS? That seems like a pretty low-hanging fruit, easy to do. If you can't do that what makes you think you are going to be able to do more complicated things?
And if you look at what we rely on, we rely on the Web, which isn't secure. We rely on DNS (domain name system), which isn't secure and we rely on e-mail, which isn't secure. The three foundational things we've been using since the dawn of time aren't secure and there doesn't seem to be a big push to fix any of it. These big companies that are encouraging us to put our lives online, the Yahoos, the YouTubes of the world, they're not doing their bit to secure it.
The thing that really kind of pissed me off, during the whole Iranian revolution or protest over the election you saw all these people just pouring their hearts out on these different social sites and their political beliefs out over unsecured http. And the government is sitting there just collecting it all, recording it. And sooner or later they'll come knock on people's doors. It really drove home we are beyond sharing pictures of fluffy cats and the social sites are now being used to organize political movements and social-justice issues.
If that kind of stuff is going to happen you've got to do it in a secure fashion or you're being negligent. Because if it was SSL (Secure Sockets Layer) between say the dissidents in Iran and some social site they would know your IP (Internet Protocol) address connected to Facebook, for example. And they would know that you transferred a couple hundred thousand bytes (of data) but they wouldn't know your log in, they wouldn't know your friends, they wouldn't see what you are posting. They wouldn't know any of that. That seems like a good thing if you are concerned about the well-being of your citizens. A lot of problems would go away if everything were just SSL by default. A lot of the privacy concerns would go away. Every time I get a chance to talk to somebody at one of the big social sites I give them some grief and say, "How come you aren't doing this? Why do you protect my log in but you don't bother to protect the rest of my session?" It's super frustrating.
Jeff Moss, founder of Black Hat and Defcon.
(Credit: Darington Forbes)As a hacker and organizer of Defcon, an event where computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.
But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.
With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.
Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.
Right. We don't understand it. We're like, what does it mean? Is it real?
Moss: How does it give us any actionable information? How should we change our behavior based on it? That's what came out of the report was that it's very hard for civilians to do anything with it and it causes confusion, and it's the No. 1 source of ridicule. The system needs to stay because it's valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we've never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn't have five either, I think they have three.
My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.
I'm talking about Defcon, which starts Thursday and runs through Sunday. The event turns part of the Las Vegas strip into a geek equivalent of "Animal House" for a three-day weekend every summer.
Jeff Moss, founder of Black Hat and Defcon.
(Credit: Black Hat)Started in 1993 by Jeff Moss, aka Dark Tangent, Defcon brings together some of the top security experts from around the world, along with thousands of hacker wannabes whose pranks in previous years--hacking the elevators and ATMs and cementing the toilets, to name a few--have led to bans at certain hotels.
"One good thing about the [economic] downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."
In addition to being a hacker playground and summer camp, Defcon is a semi-neutral ground where people who blur the lines of legality mingle with federal agents whose job it is to hunt them down.
Moss also heads up Defcon's big-sister conference, Black Hat, whose briefings schedule runs Wednesday and Thursday at the more upscale but no less kitschy Caesars Palace. (Black Hat training sessions started over the weekend.)
While Black Hat is more professional, with vendor tables in the lobby and respectable product presentations in meeting rooms, Defcon is a chaotic tableau of goth-attired groupies, script kiddies hunkered over laptops lining the hallways at all hours of the night and gray-haired hackers who were likely teens when they first started coming to the event.
The presentations are usually top-notch (many of them duplicates from the more expensive Black Hat show), but Defcon is known just as much for the activities going on outside of the sessions.
There's Hacker Jeopardy, Hacker Karaoke, an artwork contest, geo-caching events, a beverage cooling contraption contest, organized target shooting, a Capture the Flag penetration testing competition, lock picking workshops, a PGP Key Signing Party, DJs, a scavenger hunt, the highly popular Spot the Fed contest, a competition to find the best social engineer and a Cannonball Run car race described as "a race against time over 288 miles of road" from Redondo Beach to Las Vegas on Thursday.
Despite the recession, both events are expected to be crowded.
"We had been expecting 30 percent fewer attendees and in reality we're only going to have 10 to 15 percent fewer," Moss said. "The market went down and all of this research came up."
The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues and a new tool to send controversial news to censored countries without using proxy servers.
Unveiling a darknet
Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called "Veiled" that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded.
"The clients are the owners of the files and there is no single point of failure," said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. "No one in the government can go to you and say 'we need the files.'"
Interesting session titles include "Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High," "Manipulation and Abuse of the Consumer Credit Reporting Agencies," "Hacking Capitalism '09," and "'Smart' Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young)."
There's always a Meet the Fed panel with representatives from all the major defense and security-related government agencies. And well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former Director of the National Cyber Security Center in the U.S. Department of Homeland Security; Adam Savage, co-host of the "MythBusters" TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.
When hackers go public with details on exploits, vendors get nervous--companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.
"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.
Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. In 2005, a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. And in 2001, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.
Defcon averted another type of legal debacle this year--the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest.
"I'm excited the badges for Defcon will be here," Moss said gleefully. "They were held up in Chinese customs for two months. It was a complete nightmare."
Defcon founder Jeff Moss, aka Dark Tangent, is one of the newest members of the Homeland Security Advisory Council.
(Credit: Defcon)Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was among 16 people sworn in on Friday to the Homeland Security Advisory Council.
The HSAC members will provide recommendations and advice directly to Secretary of Homeland Security Janet Napolitano.
Moss' background as a computer hacker (aka "Dark Tangent") and role as a luminary among young hackers who flock to Defcon in Las Vegas every summer might seem to make him an odd choice to swear allegiance to the government. (Although before running his computer conferences, Moss also worked in the information system security division at Ernst & Young.)
I'd like to hear some of the banter as he rubs elbows with the likes of former CIA (Bill Webster) and FBI directors (Louis Freeh), Los Angeles County sheriff, Miami mayor, New York police commissioner, governors of Maryland and Georgia, former Colorado Sen. Gary Hart, and the president of the Navajo Nation.
In an interview late on Friday, Moss, who is 39, said he was surprised when he got the call and was asked to join the group.
"I know there is a newfound emphasis on cybersecurity and they're looking to diversify the members and to have alternative viewpoints," he said. "I think they needed a skeptical outsider's view because that has been missing."
Asked if there was anything in particular he would advocate, Moss said: "There will be more cyber announcements in coming weeks and once that happens my role will become more clear. This meeting was focused on Southwest border protection... With things like Fastpass and Safe Flight, everything they are doing has some kind of technology component."
Moss, who is genuinely humble, said he was "fantastically honored and excited to contribute" to the HSAC and not concerned with losing any street cred among what some would call his fan base. He did concede that his new position would give him an unfair advantage in Defcon's "Spot The Fed" contest in which people win prizes for successfully outing undercover government agents.
Security consultant Kevin Mitnick, who spent five years in prison on computer-related charges and was once the FBI's most-wanted cybercriminal, praised Moss' diplomacy, but said: "I'm surprised to see Jeff on the list. I would have expected (crypto/security guru and author) Bruce Schneier to be on the council."
Moss "is a great crowd pleaser" and "he's just bad enough for them to say 'we're crossing the ranks,'" said journalist and threat analyst Adrian Lamo, who served two years of probation for breaking into computer networks. "But the reality is he's as corporate as hiring someone out of Microsoft."
In Black Hat's October Webinar on Thursday, Anton Kapela, datacenter manager at 5Nines Data, spoke about Internet-scale "man in the middle" attacks.
The talk reprised a last-minute substitution presentation he gave along with Alexander Pilosov at this year's Defcon conference in August. During the conference, the two researchers intercepted all conference Internet traffic at the Riviera Hotel in Las Vegas and ran it through their servers. According to Black Hat founder and director Jeff Moss, most attendees didn't realizing this was being done.
"This is an emergent vulnerability," said Kapela in the Webinar. "It only becomes apparent in thousands of networks, not one." He took effort to explain that this is really a condition of the Internet today. "I'm not talking about any particular failing, or vendor implementation. This is something that happens because we're using it all," he said
Both Kapela and Moss drew parallels between this flaw and Dan Kaminsky's DNS disclosure in July. Moss said that this talk in particular was representative of research being done on the bedrock foundations of the Internet. Lately researchers have been finding faults that could have enormous impact in the future.
Kapela said there is a trust issue with Border Gateway Protocol, and admitted that the hijacking part of his talk isn't new. What is new is that "any network has the ability to facilitate this attack." Kapela and his partner found a feasible return path using Autonomous System Number that provides a way to hop-scotch through an attacker's network on the way back to yours. In a newsgroup thread, Kapela summarized it as "using AS-path loop detection to selectively blackhole the hijacked route which creates a transport path back to the target."
Kapela said this method challenges the conventional thinking that traffic analysis means you have to be local. You could be in China and monitoring static networks in the U.S.
Black Hat has been hosting these Webinars since June, and offers an e-mail address (subscribe-webcasts@blackhat.com) to subscribe for updates.
LAS VEGAS--Black Hat 2008 is bigger, and some might say better. Occupying most of the third and fourth floors of the convention hall at Caesars Palace, the conference started on Saturday with two- and four-day training sessions that continue through Tuesday.
The "public" part of Black Hat runs Wednesday and Thursday and features speakers in 15 separate tracks. One of the tracks will consist of Turbo talks of 20 minutes each. After those, there will an opportunity for the audience to talk with some of the speakers in a another room.
Wednesday starts with a bang with Billy Rios and Nitesh Dhanjani reprising their Black Hat DC talk "Bad Sushi." Then high expectations are running high as Dan Kaminsky reveals more about his DNS vulnerability. Petko Petkov will be talking on Client-side security and Joe Stewart talking on the protocols and encryption of the Storm worm. Brian Chess and Jacob West will host the second annual Iron Chef Black Hat. Tom Stracener and Robert Hansen will present on vulnerabilities with Google Gadgets and Bruce Potter will talk about malware detection using network flow analysis. Then Jim Christy returns with the annual Meet the Feds panel with Federal agents from various agencies.
Events continue into the evening with the annual Hacker Court, a mock trial on some topical issue. At the same time there will be a presentation on recommendations for the 44th Presidency around cybersecurity.
Thursday starts with Shawn Moyer and Nathan Hamiel presenting Satan is on my Friends List, a talk about social networking evil. Then Billy Hoffman on Circumventing Automated JavaScript Analysis Tools. Lukas Grunwald on Federal Trojans. Karsten Nohl on MiFare hacking. Jeremiah Grossman and Arian Evans on making money on the Web, the Black Hat way. And Rob Carter and others will talk on a hybrid file format that combines GIF images with Java Archive Sets. Calling these files GIFARs, the speakers say this intersection of Javascript with images could pose a difficult problem in the near future. Christopher Tarnovsky will talk on exploiting Secure Smartcards and Microcontrollers.
Preceding the talks on both Wednesday and Thursday will be a keynote. On Wednesday, Ian Angell, Professor of Information Systems, London School of Economics, will talk on "Complexity in Computer Security--a Risky Business". On Thursday, Rod Beckström, director of the National Cyber Security Center (NCSC) will talk on "Natural Security."
So far the only controversy concerns Apple. Last week one researcher announced he would not present his talk on the Apple FileVault, then it was announced that a second talk on security practices at Apple was also withdrawn by the panel moderator.
For the first time, Black Hat 2008 will borrow the "Wall of Sheep," a display of unprotected wireless networks sniffed at the conference, from it's sister conference, Defcon, which begins on Friday at the Riveria, just up the street.
LAS VEGAS--A panel discussion with Apple employees talking about the company's security practices was canceled by its moderator.
Black Hat founder and director Jeff Moss told ComputerWorld that "it was them talking about security engineering and how they take security seriously. It would have put Apple in a positive light."
Last week, another session on Apple FileVault was pulled at the request of its presenter, Charles Edge. He reportedly signed an agreement with Apple preventing him from talking about the vulnerablities he'd found.
In his first public comments since his Domain Name System (DNS) cache poisoning flaw was made public, Dan Kaminsky said in a conference call on Thursday he doesn't want to parse who said what when. He just wants everyone to understand that they must patch their systems now.
Speaking during the second pre-Black Hat security conference Webinar, Kaminsky, who's director of penetration testing for IOActive, provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8. DNS is what translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet. His announcement coincided with a massive, multivendor patch release. But he withheld details, hoping that most people would get their systems patched before the bad guys got a hold of it.
Kaminsky said the word is getting out about the patches, but there are still many systems that are vulnerable. From the period of July 8 through July 13, 86 percent of the people testing their system on his Web site were vulnerable. Today it's 52 percent. "Not perfect; not even good enough," he said. But "I'll take 52 any day of week and twice on Sunday."
He started off by saying that he was trying to find a way to do content distribution using DNS when realized the problem. "How much trouble are we in? A lot."
Of the public discussion from individuals within the security community, Kaminsky said Halvar Flake's speculation was the closest. For those who said they knew of flaws in DNS before today, Kaminsky said "you didn't know this one."
Dan Kaminsky
(Credit: Declan McCullagh/CNET News)Kaminsky described the flaw he's been working on as containing three flaws; two have been known, but one was not. Security researchers always thought it was hard to poison DNS records. He said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number." The good guy will always have it, but the bad guy has a 1 in 65,000 chance of getting it because the transaction ID is based in part on the port number used.
One bug with DNS is that the bad guy can start the race anytime he wants. If he doesn't know the transaction number, he can always guess. Another fundamental flaw is that there will be multiple bad guys trying to guess the transaction number. The flaw Kaminsky found that builds on the first two is that not only can multiple bad guys participate in a single race, but there can also be multiple races. The example he gave was www.blackhat.com. A bad guy shouldn't just try to guess the transaction ID for that address, but also for 1.blackhat.com, 2.blackhat.com, etc.
Everyone thought, he said, if "one sets a long time to live (TTL), say, for one year, that would work." But Kaminsky found that going to look up 1.blackhat.com, 2.blackhat.com, etc, he can find the name server and then guess the transaction ID. Kaminsky said the process of getting a response is about 10 seconds.
"Patch is the way to go; it shuts down the attack vector," said Jerry Dixon, former director of National Cyber Security Division of DHS. This was echoed by Rich Mogul of Securosis, and by Joao Damas, a senior program manager at the Internet Systems Consortium.
Kaminsky said the current patch has made exploits thousands of times harder--one in several hundred million, "not infinity." The bug is core to the design; it's fundamental to the design."
What have we learned? "We learned what needs to be done to fix the Net in the future. I await the security community's judgment on what we've done."
As for the long-term "Where do we go from here?" Kaminsky said there's going to be an awesome debate about that.
On August 6, Kaminsky will present "End of Cache as we know it" at Black Hat in Las Vegas.
- prev
- 1
- next
