Opinion

FUD Watch | DNS Flaw Worth the Worry

Senior Editor Bill Brenner notes that it's pretty common for the research community to amp up the hype around certain security flaws. In the case of a flaw in the Internet's Domain Name System (DNS), he writes, the alarm may be justified this time

By Bill Brenner, Senior Editor

Kaminsky discovered the flaw some time ago, but waited until all the affected vendors could develop a patch before he disclosed it publically. This took a lot of discipline on his part, since the urge to disclose a big find is usually irresistible for a researcher. I even give credit to the folks at Matasano for taking responsibility after they accidentally spilled the beans.

Matasano's Tom Ptacek apologized to Kaminsky in the Matasano blog. "We regret that it ran," he wrote. "We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread."

I've seen researchers spill details like this in the past, only to take a self-righteous, defensive tone - bloviating about the importance of full disclosure as if releasing the full recipe for an attack was really in a company's best interests.

Instead, Ptacek took responsibility and did so with class.

There were mistakes in the handling of this for sure, but at least everyone tried to do the right thing.

The good news is that a patch exists, and companies will be protected if they apply it.

Other stories by Bill Brenner

• Email
• Print
• Comments
• Digg This
• SlashDot

• With DNS Flaw Public, Attack Imminent
• DNS Flaw Details Posted by Accident
• Internet Bug Fix Spawns Hacker Backlash
• The Internet Gets Patched: DNS Bug Fixed