We see a lot of FUD on a daily basis here in the security industry, and it’s rarely worth blogging about. But for whatever reason this one managed to get under my skin.
Nominum is a commercial DNS vendor that normally targets large enterprises and ISPs. Their DNS server software includes more features than the usual BIND installation, and was originally designed to run in high-assurance environments. From what I know, it’s a decent product. But that doesn’t excuse the stupid statements from one of their executives in this interview that’s been all over the interwebs the past couple days:
Q: In the announcement for Nominum’s new Skye cloud DNS services, you say Skye ‘closes a key weakness in the internet’. What is that weakness?
A: Freeware legacy DNS is the internet’s dirty little secret – and it’s not even little, it’s probably a big secret. Because if you think of all the places outside of where Nominum is today – whether it’s the majority of enterprise accounts or some of the smaller ISPs – they all have essentially been running freeware up until now. Given all the nasty things that have happened this year, freeware is a recipe for problems, and it’s just going to get worse.
…
Q: Are you talking about open-source software?
A: Correct. So, whether it’s Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.
…
By virtue of something being open source, it has to be open to everybody to look into. I can’t keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.
…
Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.
…
I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.
The word “bullsh**” comes to mind. Rather than going on a rant, I’ll merely include a couple of interesting reference points:
- Screenshot of a cross-site scripting vulnerability on the Nominum customer portal.
- Link to a security advisory in 2008. Gee, I guess it’s older than 6 months, but feel free to look at the record of DJBDNS, which wasn’t vulnerable to the DNS vuln.
- As for closed source commercial code having fewer vulnerabilities than open source, I refer you to everything from the recent SMB2 vulnerability, to pretty much every proprietary platform vs. FOSS in history. There are no statistics to support his position. Okay, maybe if you set the scale for 2 weeks. That might work, “over the past 2 weeks we have had far fewer vulnerabilities than any open source DNS implementation”.
Their product and service are probably good (once they fix that XSS, and any others that are lurking), but what a load of garbage in that interview…
Reader interactions
4 Replies to “Stupid FUD: Weird Nominum Interview”
“I refer you to everything from the recent SMB2 vulnerability, to pretty much every proprietary platform vs. FOSS in history”
I take your bate and see you ASP.NET vs. PHP, or better yet, Windows (all versions), Office, IE, SQL Server, Exchange, and .Net combined vs. the 18,000 and counting vulnerabilities found in the PHP runtime (and unlike FireFox that can rightly say that many of their vulnerabilities are developer found and fixed flaws the same is not at all true for PHP).
Security comes neither from Open or Closed source but rather from the discipline and holistic security approach taken by the organization developing the code. Organizations that have security built in through their security process and enforce compliance to it produce secure code, those that don’t fail to do so. As evidence Sql Server 2000 vs Sql Server 2005, or Mozilla 1.0 (which people forget was long considered the abject failure of the OSS model) vs. Firefox 3.5. The OSS mantra of many eyes is a bunch of bullshit – the vast majority of eyes happen to belong to people not trained to catch sophisticated security flaws (unsophisticated secure flaws can be found much more effectively using static analysis tools) and I have yet to see credible evidence that suggests those that are skilled at spotting sophisticated security flaws during code review are flocking in larger numbers to open source projects than proprietary code (since, after all, they can be paid a crap ton given the relative scarcity of the skill).
Anyway, all of that said, the rest of your rant is fairly spot on. If The company has described how they built security considerations into their design and development process rather than simply played some nonsense proprietary vs open arguement they might have earned an ounce of credibility (that most of their other statements would have negated), but obviously they didn’t.
I’d just make the question (as many of us would):
Which is smarter in the long run, a small group working together or everyone working together?
Sure, the small group (or individual) can have that moment of insight letting them leap ahead of the masses… but only until the concept is out there.
It is a matter of resources – both intellectual and physical – and the more resource available to work on an issue/concept/problem/idea the more progress.
I would like to suggest that a proposal be sent to the governments around the world to class such “our stuff is better cause we don’t share with others” kind of mentality be classed as a mental illness and that they should offer counseling and support groups akin to AA for those suffering such. Perhaps an addendum that these people also be prevented from speaking in public would also help.
I’m too much the technical geek to write such a proposal, but I’ll sigh the petition if someone else drafts it.
I think the extra ironic part is when you look at their website, and the customer and partner login pages.
They run…. Apache and …. php, on … redhat so if they’ve got no confidence in open-source you do have to ask why they think it’s good enough to run on their web servers…
What Rich does not know is I drafted a post on this same subject yesterday and deleted it as too inflammatory. As he usually does, Rich has more succinctly raised his points without bashing. I would simply like to pose the question “Is AES or Blowfish insecure because the source code is open”?