09 August 2008

DNS flaw released without warning

I think the Kaminsky DNS vulnerability news was big enough that non-tech people heard about it, so hopefully everyone here knows what I'm talking about; if not, it doesn't really matter. There was a serious DNS vulnerability that Dan Kaminsky discovered this year. Ignoring the temptation to hack the entire Internet, he worked with DNS vendors to patch their nameservers; there's a fairly cool video that shows a map of the world over time colored to show if servers are patched or not:

The details of how the exploit worked weren't actually supposed to come out until his black hat presentation a few days ago, but they leaked a week or so early. Nonetheless, watch the clip above and look at how many servers were patched by the time the details came out in late July

Then some Russian guy discovered that the fix isn't completely effective, although it does make poisoning take way longer. Did he quietly share the news with DNS vendors and try to work out a fix? Hell no, not only did he post the story on his blog, he helpfully included exploit code with it, because having to write your own might slow down attackers for a few hours

I understand the desire to release the news as soon as possible; Kaminsky is pretty much the most famous security researcher in the world at the moment, but what the hell? Now the New York Times has picked it up, so anybody with a couple good computers and a few hours on their hands can try poisoning a nameserver just for fun.


Anonymous said...

"most famous security researcher in the world"? Excuse me? That title certainly belongs to Bruce Schneier, doesn't it? ;-)

All the best,

Michael Mrozek said...

That is very true. As we all know, Bruce Schneier writes his books by generating random text of the appropriate length and decrypting it