Ow My Toe
So there’s been some skepticism about the DNS flaw. I want to be clear: It was richly deserved. A “put up or shut up” mentality is critical to the survival of our industry. It’s just too easy to make stuff up, if you can just wave away detractors with “I can’t prove it…it’d be UNSAFE.”
The danger from that statement is very tempting and very real. Our credibility as an industry — ultimately, our ability to get bugs fixed — depends on that statement being called out as the bullsh*t that it is.
That being said:
It was my belief that this case was an exception to the rules. Nobody reading this can know if I was right or not, because (almost) nobody knows the bug. However, so far, things are going well:
1) Patches are out, from almost everybody.
2) People are installing them.
3) Nobody is panicking.
4) Nobody is being exploited.
Where I come from, that’s pretty damn cool. But that could all have been accomplished…with no actual bug, just vague hand-wavey threats.
And that’s where I went wrong. The vendors know the story. The DNS community knows the story. But I went live with nobody else in the security community having provided peer review. The whole point of the security community is that vendors and even subject matter experts don’t always know how their systems can fall over — that knowing how to build something does not at all imply you necessarily know how to break it.
I thought, being Dan Kaminsky, with years of DNS experience, that I could vouch for my own bug. Er, no. Not even me. Especially not me, the beneficiary of what can only be described as “redonkulous amounts of press”.
And then, when Thomas Ptacek asked me point blank to tell him what the bug was, I refused. It’d be UNSAFE.
Right. We saw where that went. Right where it should have.
And so, on the urging of Rich Mogull, who’s been instrumental at bringing this entire endeavor out from under the shadows (and who was kind enough not to demand the technical details in order to do it), I did what I should have from the start. I provided technical details of the attack to Thomas Ptacek and Dino Dai Zovi, submitting myself for peer review.
So here’s the bottom line. I think people don’t have enough information right now, to determine whether there indeed exists any context in which a huge press rush should occur with so few deep technical details. When everything is on the table, I leave it to the community to judge whether we have gained or lost credibility through this effort.
But it’s clear that, in lieu of details, to not even have respected and completely independent members of the community vouching for your work cannot stand, no matter how respected you are in the community, no matter how many vendors are behind you, no matter what. OK. So that’s a fairly big lesson learned, in a process I’ve sort of been making up as I’ve gone along. Thanks to Dino and Thomas for setting me straight.
Now, that all being said, what people should really do is listen to Sarah.