Tuesday, July 8, 2008

OMG, we're all going to die!

There's a problem in DNS (for those of you new to Al Gore's Intarwebz, that's what changes cute names like "borepatch.blogspot.com" into actual, you know, addresses). Seems that if you're really clever, you can pretty much pwn DNS at will, which lets you do all sorts of fun and games - like impersonate web sites.

As you'd expect, the security world is in a bit of a tizzy over this. As they should be. They're security gurus, after all.

Should you be in a tizzy? Well, that depends. If you're also a security guru, then you don't need to listen to me on this. If you're not, here are some things you should know:
  1. There's probably not much you can do about this. Your ISP (and all the other ISPs) will have their security guru run out the patch, post haste.
  2. There's basically no information available on this - it will be unveiled at the Black Hat briefings next month in Las Vegas. Therefore, it's kind of hard to gauge just what the heck is going on, except a lot of smart security guys are paying attention (see links above, or on the blog roll).
  3. The press is almost certain to get this wrong, and hype it as much as they think they can. None of them will have the slightest idea what they're talking about.
So, did we create the "Infrastructure of the 21st Century" out of moonbeams and spun sugar? Sure did. Did anyone at all give the slightest thought to security when Al Gore set his Zombie Army to work on the information super highway? Uh, sorry, nope. Will Sir Pwnsalot and his 'leet friends empty grandma's online bank account? Given web security, they probably already have - this doesn't change much.

Are we all gonna DIIEEEE? Don't think so.

Security is a pretty funny business. We're not getting any better at it, but we're not all getting fired, either. Yay, us!

No comments: