The man who transformed internet security
Published: 16 Jul 2008 15:19 BST
...who opt for this method, although he said he didn't understand why a company would pay for this information. (I know the answer: TippingPoint uses the vulnerability data it purchases to protect its customers first, thereby giving it a competitive advantage in the vulnerability assessment space).
Another option for Kaminsky was to go public, to announce the vulnerability and publish details, including an exploit, on, say, Bugtraq. A few researchers have gone down this route, but often as a last resort after getting a cold shoulder from the vendor. Some researchers have published flaw details first without contacting anyone, taking both the public and the vendor by surprise. But such moves are unwise since they give the bad guys all the information they need while everyone is vulnerable.
Finally, as Kaminsky reminded me, there's the option of selling your vulnerability to the criminal underside of the internet.
With the DNS flaw, Kaminsky was in a very weird position. What he found wrong with the DNS — the servers that translate a website's common name to its IP address — wasn't just within one vendor's product; it cut across various products, from various vendors. Kaminsky said he consulted DNS expert Paul Vixie, and together they decided they had to convene a meeting, and do so within a few weeks of the discovery.
That meeting occurred at Microsoft's Redmond, Washington, headquarters on 31 March, 2008. There, representatives from 16 vendors sat down and listened to Kaminsky's pitch. After deciding this was a real and exploitable problem, the vendors decided they would have little choice but to agree to release simultaneously their respective patches.
At some point, 8 July, 2008, was agreed upon as the date, perhaps because it coincided with Microsoft's monthly Patch Tuesday. The date was significant in other ways: for example, it fell roughly 30 days before Kaminsky was scheduled to speak at Black Hat in Las Vegas.
Between March and July, there was considerable to-ing and fro-ing among Kaminsky and the vendors, and then, as the date neared, he decided to share the details with a few others.
In retrospect, Kaminsky confessed that he really should have told more people. He had gone through great pains to inform the DNS community, the specific vendors and few researchers. He did so to keep word from getting out.
But within hours of making his announcement, Kaminsky faced a chorus of public ridicule by other security researchers, most hearing about the flaw for the very first time. The complaints, at times, trivialised the announcement, with fellow researchers citing that similar claims had been made against DNS three to 10 years before or even longer. Some suggested Kaminsky was simply trying to advertise his talk at Black Hat next month.
Most vocal was Matasano Security researcher Thomas Ptacek, who blogged his doubts. But Kaminsky called Ptacek and he retracted his comments. He now says, "Dan has the goods. Patch now, ask questions later."
Whether Kaminsky knocks the socks off of everyone at Black Hat seems considerably less important than the responsible nature of his disclosure. He could, as Ptacek notes, have made thousands off the DNS discovery. Instead, Kaminsky has set a high mark for future disclosures. He has changed internet security, and done so for the better of us all.
Previous
Did you find this article useful?
51 out of 60 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
