On The Internet, There Are No Secrets

One thing is true about the security research community, it is populated by people that don't like to be told what to do or how to act. Halvar Flake thought the way the DNS disclosure was handled was OK, but didn't think the discussion blackout would be useful. So setting off as a DNS novice, he spent a few hours figuring out the problem. He got pretty close, too. So then Matasano Security disclosed and then pulled the details. By then it was too late.There has been this creeping silence in movement in responsible disclosure to keep information from the folks who need it. I have never been a fan of responsible disclosure, but I understand the arguments. Notify vendors about problems and allow them time to fix it, then when the patch is released, publish the details. The hope is that vendors will patch problems in a reasonable time frame and that IT administrators will patch. If they want, they also can review the technical details and maybe even develop a check.

That's all well and good, but Dan Kaminsky's recent advisory took the unusual step in that 1) the details weren't released at the time of the advisory/patch and 2) he asked others to keep the details quiet if they figured it out. The question is why? The stated reason is to give organizations the time to patch their DNS servers before the bad guys figured out the exploit. Well, that's just wishful thinking.

If you want to keep a secret, don't tell anyone. If you do tell someone a secret, chances are, they will tell someone else. Your secret is gone. It's amazing that Kaminsky and the vendors working on the patch were able to keep the secret for the 8 months they were coordinating the patch. But once the news is out, it's only a matter of time before the bad guys figure out what the problem is and how to exploit it. For that matter, once a patch is released, reverse engineering the patch to find the vulnerability is like leaving a trail of bread crumbs for anyone skilled enough to follow. There are even investigations by researchers at Carnegie Mellon, UC Berkeley, and University of Pittsburgh into automating the process.

Kaminsky violated rule #1 in security: obscurity doesn't work. Ever. In fact, the way this whole thing was managed, Kaminsky was practically begging for someone to come along and break the details. Does anyone think the bad guys were not working on this very problem the moment they saw the announcement and ensuing speculation? Or that they couldn't figure it out in a short time? Of course not.

I think the 30-day suppression period, time to fill Kaminsky's session at Black Hat in Vegas, hurt more than it helped. The backlash and speculation wasn't stemmed. The details still came out early. And really, if you hadn't patched your DNS by now, is this going to motivate you? Probably not. But next time, just come clean with the details when the advisory and patch is announced, lest you be outted by your peers.

One last thing. The details are being pulled from sites that have it posted. You can find the details on Slashdot. Or you can e-mail me and I will send it to you.