Home' Technology Review : November December 2008 Contents FEATURE STORY
TECHNOLOGY REVIEW NOVEMBER /DECEMBER
and deciding whether to apply them, weighing the danger of the
security flaw against the disruption that the patch will cause.
Because DNS is central to the operation of any Internet-dependent
organization, altering it isn't something that's done lightly. To make
matters worse, this patch didn't work properly with certain types
of corporate firewalls. Many IT professionals expressed frustra-
tion at the lack of detail, saying that they were unable to properly
evaluate the patch when so much remained hidden.
Concerned by the skepticism about his claims, Kaminsky held
a conference call with Ptacek and Dai Zovi, hoping to make them
see how dangerous the bug was. Both came out of the call con-
verted. But although Dai Zovi notes that much has changed since
the time when hardware and software manufacturers dealt with
flaws by simply denying that security researchers had identified
real problems, he also says, "We don't know what to do when the
vulnerabilities are in really big systems like DNS." Researchers
face a dilemma, he says: they need to explain flaws in order to
convince others of their severity, but a vulnerability like the one
Kaminsky found is so serious that revealing its details might
endanger the public.
Halvar Flake, a German security researcher, was one observer
who thought that keeping quiet was the more harmful alternative.
Public speculation is just what's needed, he says, to help people
understand what could hit them. Flake read a few basic materi-
als, including the German Wikipedia entry on DNS, and wrote a
blog entry about what he thought Kaminsky might have found.
Declaring that his guess was probably wrong, he invited other
researchers to correct him. Somehow, amid the commotion his
post caused in the security community, a detailed explanation of
the flaw appeared on a site hosted by Ptacek's employer, Matasano
Security. The explanation was quickly taken down, but not before
it had proliferated across the Internet.
Chaos ensued. Kaminsky posted on Twitter, "DNS bug is public.
You need to patch, or switch to [Web-based] OpenDNS, RIGHT
NOW." Within days, Metasploit, a computer security project that
designs sample attacks to aid in testing, released two modules
exploiting Kaminsky's flaw. Shortly after, one of the first attacks
based on the DNS flaw was seen in the wild. It took over some
of AT&T's servers in order to present a false Google home page,
loaded with the attacker's own ads.
OUT OF COOKIES
Thirty minutes before Kaminsky took the stage at Black Hat to
reveal the details of the flaw at last, people started to flood the
ballroom at Caesar's Palace in Las Vegas. The speaker preceding
Kaminsky hastened to wrap things up. Seats ran out, and people
sat cross-legged on every square inch of carpet. Kaminsky's grand-
mother, who was sitting in the front row, had baked 250 cookies
for the event. There were nowhere near enough.
Kaminsky walked up to the podium. "There's a lot of people out
there," he said. "Holy crap." Kaminsky is tall, and his gestures are
a little awkward. As of early August, he said, more than 120 mil-
lion broadband customers had been protected, as Internet service
providers applied patches. Seventy percent of Fortune 500 com-
panies had patched their systems, and an additional 15 percent
were working on it. However, he added, 30 to 40 percent of name
servers on the Internet were still unpatched and vulnerable to his
10-second cache-poisoning attack.
Onstage, he flipped between gleeful description of his discov-
ery's dark possibilities and attempts to muster the seriousness
appropriate to their gravity. He spoke for 75 minutes, growing
visibly lighter as he unburdened himself of seven months' worth
of secrets. As he ended his talk, the crowd swept close to him, and
he was whisked o by reporter after reporter.
Even those security experts who agreed that the vulnerability
was serious were taken aback by Kaminsky's eager embrace of
the media attention and his relentless e ort to publicize the flaw.
Later that day, Kaminsky received the Pwnie award for "most over-
hyped bug" from a group of security researchers. (The word "pwn,"
which rhymes with "own," is Internet slang for "dominate com-
pletely." Kaminsky's award is subtitled "The Pwnie for pwning
the media.") Dai Zovi, presenting the award, tried to list the pub-
lications that had carried Kaminsky's story. He gave up, saying,
"What weren't you in?"
"GQ!" someone shouted from the audience.
Kaminsky took the stage and spat out two sentences: "Some
people find bugs; some people get bugs fixed. I'm happy to be in
the second category." Swinging the award---a golden toy pony---by
its bright pink hair, he stalked down the long aisle of the ballroom
and out the door.
WHO S IN CHARGE?
Depending on your perspective, the way Kaminsky handled the
DNS flaw and its patch was either dangerous grandstanding that
needlessly called public attention to the Internet vulnerability
Depending on your
perspective, the way
Kaminsky handled the
DNS flaw and its patch
was either dangerous
grandstanding that left
many Internet users
vulnerable or a "media hack"
necessary to train a spotlight
on the bug's dangers.
Links Archive January February 2009 September October 2008 Navigation Previous Page Next Page