Dan Kaminsky received plenty of criticism from the security community for hyping a flaw he discovered in the Internet's Domain Name System. But he didn't get more than 80 software and hardware vendors together to release a coordinated patch in July based on exaggerations and grandstanding. The vulnerability he discovered is serious and remains an issue for too many servers.
Photo: Dave Bullock / eecue.com
Wired's account of Kaminsky's disclosure of the flaw to Paul Vixie, creator of the popular Internet name server software BIND, is telling: After Kaminsky explained his findings, Vixie said, "The first thing I want to say to you is never, ever repeat what you just told me over your cell phone."
When someone like Vixie, with serious technical cred, puts on the tin-foil hat and worries about eavesdropping, you know the problem isn't trivial.
In late July, when the vulnerability leaked, Kaminsky urged immediate action. He said, "Patch. Today. Now. Yes, stay late."
Most server administrators listened, but not everyone. One in four DNS servers still doesn't perform source port randomization -- one of Kaminsky's risk mitigation recommendations -- according to a recent study conducted by Infoblox and the Measurement Factory.
The Internet dodged a bullet over the summer. The next time it may not be so lucky.
This article was edited on 1/5 to correct the spelling of Counterpane CTO Bruce Schneier.