• DSA-1605 glibc - DNS cache poisoning
• DSA-1604 bind - DNS cache poisoning
• DSA-1603 bind9 - DNS cache poisoning

The attack works if the victim machine uses a predictable source port when it makes DNS queries. Thus the current solution to the problem is to try to randomize the source port of the query.

Now, the default resolving library that is part of glibc and the resolver that comes with BIND 8 do not randomise source ports and are thus subject to attack. This means that until glibc is patched every machine that uses glibc is vulnerable unless one installs a source port randomising DNS caching resolver on each such machine.

Here is what appears to be a simpler alternative:

iptables -t nat -A POSTROUTING -o ! lo -p udp --dport 53 \
    -j MASQUERADE --to-ports 1024-65535 --random

iptables -t nat -A POSTROUTING -o ! lo -p tcp --dport 53 \
    -j MASQUERADE --to-ports 1024-65535 --random

WARNING: The above suggestion may or may not work and may break your machine in all kinds of awful ways!

Will someone more knowledgable than me about the various RFC's confirm whether this would indeed be a "quickfix"?

Ideally, we should expect a suitably patched glibc soon and that would be a better solution

Update: The --random switch only works in Linux kernels with version at least 2.6.22

Update 2: (Thanks to Rick Moen).

• The --random switch only works with Linux kernels with version at least 2.6.24
• There is a good analysis of the vulnerability which points to additional fake records added to fake responses to queries for domains that do not exist.

What this means is that the above quickfix will not work well enough if you run a caching DNS server. You must patch the source for such a caching DNS server.

Secondly, you cannot really use the above quickfix on a machine that provides UDP-based services for remote clients. Those clients may just happen send your service a query from the source port 53 and will get a response from a randomised port in return! For example, you cannot use the above fix on an authority record providing DNS server. Specifically, if you are still running BIND 8 then follow the advice in Simon's comment and upgrade to BIND 9.

1. Only text without attachments.
2. Text that contains incoherent sentences or disconnected sentences.¹
3. Messages from addresses definitely not known to the recipient.²

Here are some possiblities that occured to me.

A. These are messages that are designed to test/mar the efficiency of the spam detection systems currently employed by servers.

B. These messages contain coded messages that are flooded across the internet in an attempt to disguise their true origin/destination. The real message could be short one such as "the machine from which this has been sent has serious security holes".

C. This is generated for someone's research project.

D. This is the result of some spam generating software/virus which has bugs.

I don't know if this is worth wondering about ... except ... why is someone going to some trouble to make (a program which is making) life difficult for everyone?

1. The USB cable. This works with the recent(?) cdc-acm driver as a serial device (/dev/ttyACM0 for me). It cannot be used as a USB-storage device and mounted---worse luck.

   1. It doesn't work too well with "gammu". It seems that Motorola changed the AT+Cxxx command sequence "a bit". What you *can* do is download the phonebook with "--backup" but this is only for local storage since re-upload fails.

   2. "moto4lin" is a Qt-based program that works fine for editing the filesystem (up/down loading photos/music etc but not the phonebook!). It can also edit the "SEEM" which looks dangerous so I haven't tried it yet. You can also upload Java applications but I haven't done that either.

2. Bluetooth. This need a firmware upgrade (I was within the warranty period when I asked for one so it was free) to R374_G_0E.42.10R_A (at least; I noticed somewhere that _B,_C, etc are available). Even after this it was not entirely smooth sailing.

   1. Bluetooth connects with bluez-utils. It was a bit tricky for me (=command-line-type!). This needed a file /var/lib/bluetooth/<local_address>/pincodes containing entries like

                	<phone_address> 12345678
      	  

      The 12345678 is the "initial shared secret" used between your phone and the computer. The file can be deleted after establishing a connection the first time.

   2. "obexftp" and "obexfs" can be used to access all the audio/pictures/video that you create (but not the others; you need "moto4lin" for that). However, this leads to corrupt {down,up}loads. The situation was worse with a Mac that Sudeshna uses.

   3. "obexpushd" and "ussp-push" are inherently less secure programs and are difficult to "batchify" but those are the ones that currently work for me to download and upload files without corruption.

   4. "gammu" with "bluerfat" (which is AT commands over RFCOMM) work fine for the phonebook. This is because the phone seems to use standard AT+Cxxx commands over this interface---wierd that it doesn't over the cable! I am able to edit the phone book and even use my computer keyboard as a remote keyboard instead of the phone keyboard. Can't access multimedia data over this interface though.

3. Still to try (but will not try soon since I've already wasted two weeks on this!).

   1. Haven't yet tried to connect to the net using the phone. In principle, the difficulty here is not with the phone but with the service providers instructions---I still haven't managed to decode them---Indlish anyone?

   2. Haven't yet tried to unlock the pre-installed "Web sessions". This can be done by editing the SEEM according to various web sites. It doesn't have to be done yet since I am able to edit everything except the name of these sessions. That is enough to use the phone browser to "browse the web".

   3. Install Java applications and get them to work. I created some room by deleted all those keyboard damaging games that were installed but haven't got further than that.

   4. Re-write "moto4lin" as a command-line program. Why should one need to use Qt for a task like this?

The question arises: How will people learn about GNU and Linux once everything starts working smoothly?

I can certainly vouch for the fact that many of the things I learnt about computers, I learnt because the computer was not doing things the way I wanted it to.

From Personal Experience

There are two types of mathematics books.

There are those where the author has taken great pains to construct the most illuminating exercises for the student to solve at the end of each chapter.

And then there are the books where there are mistakes in the text. The exercise is to find the mistakes and correct them.

I have learnt more from the latter than the former

At the opposite end of the spectrum from elitism is dumbing down. I know nothing of the education systems outside England so, conversely, I expect some of LG's foreign readers may well be puzzled by my earlier references. For their possible interest, there used to be two distinct types of Further Education establishment in England (I simplify somewhat).

Coming as I do from India, I fall somewhere in between "total foreigners" and the "UK locals". Just call me a "colonial" or "coolie" for short---I promise not to take offence.

University - a place of academic excellence, awarding degrees. Polytechnic - providing practical training, leading to qualifications such as "City & Guilds", HNC and HND.

The following story is told about three students from the IIT's at Kanpur, Delhi, Madras who go for an interview. The ceiling fan in the interview room is not working. The candidate is asked for an opinion.

IITK Candidate: Actually, what this building needs is a centralised air-conditioning plant that takes into account the weather conditions in this city which is in the tropics and is near the sea. I have a few research papers on the solution of the partial differential equations that arise when one takes all these factors into account. MIT has given me a doctoral fellowship to study these aspects of the Carnot cycle in greater detail. At the same time the mathematics department at Harvard feels that I should instead expand on the very unusual use of wavelets in my solutions.

IITD Candidate: Here are my designs that improve upon certain air-conditioning units that are being developed at General Electric (in the USA) so that they will work well for the Indian consumer. I am looking for ways in which I can patent these or join up with GE to produce these for the mass market.

IITM Candidate: Hold on. Takes out a screwdriver. Opens the switch board and mutters "Regulator is bust". Goes off to the neighbourhood hardware store and returns with some fine copper wire. Then re-wires the regulator and soon the fan is working.

The amazing thing about this story is that each of the IIT's felt that the story was a way of complimenting them on the students they produced!

IMNSHO, "academic excellence" or "awarding degrees" alone only leads to more tree felling (or toxic e-waste in the modern world) in the pointless pursuit of awards, while "partical training" alone will produce people who will resist change due their ineptness at adapting. A true university should impart training in using both halves of the brain.

The entry requirements for a Poly would invariably be considerably lower than for University. Each had its own well-defined function, and there was little overlap.

If I have learned anything in my N years of involvement with academic world it is this---input and output are not so closely correlated. The lack of overlap has probably harmed all of those who went in to these "systems".