Most technical people in the internet community are well aware of the latest DNS poisoning attack discovered by researcher Dan kaminsky. There have been many comments and posts on it. I have seen Dan Kaminsky speak a few times. He is a smart guy and an excellent researcher. Unfortunately, I believe this attack was not handled properly.
Yes, Dan used responsible disclosure. He contacted and worked with the major DNS vendors to understand and fix the problem. They produced a ‘patch’ and released it to the public. This was all great. It is at this point that I start to have a problem.
The patch was released without telling the community the details of the issue. It was a ‘trust us’ you need to patch. Does that sound familiar? Governments, and vendors do it all the time. You don’t need to know the details, just trust us to protect you and do the right thing. A good article on the chronology of events is here. The reason for not telling the public was that it was going to be presented at Blackhat in a couple of weeks. The for me is where I start to have issues with the handling of this vulnerability. A well respected security researcher discovers a vulnerability in the DNS system that is very serious. Once a patch is available, rather then get all the information out he decides to hold the details to build hype for a presentation at Blackhat. Not very responsible at all. I’d suggest it was self-serving.
Between the patch release and BlackHat, people speculate as to what the DNS vulnerability is and eventually someone figures it out. I suppose one could argue that the primary goal of the DNS vulnerability discovery and lack of full release was not publicity at Blackhat. Yet as soon as the attack is figured out and released by someone other than Dan, I receive this e-mail:
Black Hat’s Second LIVE WEBCAST
Dan Kaminsky’s DNS Discovery:
The Global DNS Issue and the Massive, Multi-Vendor Fix Thursday, July 24
1:00 pm PST/4:00 pm ET . FREE
Speakers: Jeff Moss, Dan Kaminsky, Jerry Dixon, Rich Mogul, Joao Damas
Register Now at
http://w.on24.com………
Overview:
Early in 2008, security researcher Dan Kaminsky located a gaping hole the
basic underpinnings of the internet. This fundamental flaw in DNS security
renders almost all DNS serves open to cache poisoning (US CERT VU#800113).
As the vulnerability arises from flaws in the design of the DNS protocol,
the issue affects nearly all vendors and nearly all products designed to
work with DNS.
In the intervening time, Dan has worked with a coalition of vendors to
create a fix for this very serious and ubiquitous vulnerability. On July
8th, technology vendors from across the industry simultaneously released
patches for their products in a combined effort of historic proportion.
Join Dan Kaminsky, director of penetration testing for IOactive; Jerry
Dixon, former director of the National Cyber Security Division at DHS; and
other experts to discuss the largest synchronized security update in the
history of the Internet. Dan will tell the story behind the discovery, and
the process of creating and deploying the fix.
Presenters
Dan Kaminsky, Director of Penetration Testing, IOactive Jerry Dixon, Former
Director of the National Cyber Security Division, DHS Rich Mogul, Securosis
Joao Damas, Sr. Programme Manager, ISC
Obviously they are still trying to capitalize on the ‘publicity’ around this event. This makes me sad. Maybe Dan is being forced to do this because the company he works for wants the publicity and is forcing him or maybe he just secretly wants to be famous (he already is) and get public attention. Personally, I don’t know and I don’t really care. From what I have heard he is still not going to publish the ‘technical’ details till Blackhat, although this is kind of silly at this point.
What I do care about and am disappointed is that a security researcher of Dan’s Caliber is willing to deploy a ‘trust us’ mentality for his own or his companies public self gain. This has caused speculation and naturally causes both good and bad guys to try and figure it out. Basically, the media attention was more important than full disclosure at the right time. The right answer was to come clean as soon as the patch was released. People like myself will still go to see his presentation. Of course the media might not as it will be old news — which appears to be the main concern. I appreciate the work Dan and others like him do. I am disappointed in the apparent need for ‘self’ media attention. I expect it with software and hardware vendors. I never expected it from the security research community and a prominent individual in the community such as Dan.
