The scramble over Dan Kaminsky's DNS
flaw discovery proves that full disclosure is simply not feasible,
heard delegates at RSA.
Ira Winkler, president, Internet
Security Advisors Group, said: “I simply don't believe in full
disclosure. I realise that there are arguments on either side, but
this case represents the best and worst about vulnerability
disclosure.”
Winkler said he believed that the
critical DNS flaw was already known to hackers before the
researcher's discovery. “Some people obviously knew about this
years before, certainly at a government-agency level. I've worked
with the NSA, and yes, they are trying to hack software – we'd all
be pretty disappointed if they weren't!”
The flaw enables hackers to 'poison'
the DNS cache, allowing legitimate site requests from users to
potentially be invisibly redirected to malicious sites. Security
researcher Kaminsky discovered the flaw earlier this year and passed it onto vendors so
they could patch the problem. However, a confidential briefing to
other researchers was leaked, resulting in the availability of
exploit code before the patch release date – timed to coincide with
Kaminsky's Black Hat talk on the topic.
“It's always where public acknowledgment comes into it that things begin to go wrong”,
continued Winkler, “if there is ego involved, then there will be an
exploit produced. Somebody always wants the dubious glory of being
the first to publish new exploit code.
“The thing you have to ask yourself
whether security is about protecting systems, or making them more
vulnerable”, he continued. “Security as a concept is never really
achieveable. The dictionary definition is total freedom from risk,
which is simply impossible. It's a question of assessing the risk in
each individual situation.”