On The Cost of 5 Minutes Of Fame

The pattern is known from years and years of similar experiences: A security researcher publishes an exploitable flaw in software or announces the vendor(s), sub rosa.

The software gets patched, eventually, and the researcher gets five minutes of fame and/or a hearty slap on the back from the vendor.

This story is different. Upon discovering a way to exploit vulnerabilities in the design of the domain name service, Dan Kaminsky got together (no small feat, that) practically all the providers of affected software and convinced them to coordinate their efforts and release patches at the same time. What’s more, he convinced major users of affected software that couldn’t or wouldn’t be patched (such as Yahoo, up until then users of BIND 8) to renounce their heathen ways and migrate to a patched solution. All this was done in perfect secrecy, which is yet another miracle.

However, on July 7, Mr. Kaminsky announced publicly the existence of a flaw, stating that he would make a full disclosure at the BlackHat conference on August 6 and that the patch itself (due to be released the next day) does not provide sufficient information for black- grey- or white-hat hackers to reconstruct the flaw.

In hacker circles, them’s fightin’ words. Mr. Kaminsky was called a liar (and worse) by competitors and bystanders alike. Remaining true to his original stance, Mr. Kaminsky tried to silence his critics by disclosing to some of them, in private, some details of the vulnerability and telling the rest, effectively, to go do whatever it was they were doing, until August 6 when all would be revealed. They did not.

Halvar Flake (the hacker alt of security researcher Thomas Dullien) was first to the ball and published his discovery. Then, the unthinkable happened: a member of the cabal – one of the chosen few experts made privy to the secret by Kaminsky in a bid to re-establish his credibility – confirmed that yes, Halvar Flake had indeed gotten the right idea on what the vulnerability really was. The leak happened on the Matasano Chargen blog and was promptly retracted, but the cat was well and truly out of the bag. The magic of Google and the doggedness of security researchers and afficionados scouring the web for clues made sure it could’t be put back in.

Fast forward to July 23. There are still many days to go before the conference, but what about the flaw? Well, it’s been exploited, and the exploit published as a Metasploit plugin by none other than Metasploit creator HD Moore, working in conjunction with a researcher going by the moniker |)ruid. Metasploit is a free/open source penetration testing and security audit tool.

Two days later, and version 2 of the exploit is live and researchers are working feverishly to make Dan Kaminsky’s brag that the flaw would take “seconds” to exploit a reality. No need to say, there are still many, many vulnerable servers out there. Any one, exploited, could send innocent web surfers in the waiting arms of phishers and identity thieves instead of directing their browsers to the real IPs of say, Yahoo or Bank of America. Not that the Web is all the Internet is used for these days. Many other services depend on DNS in some way. Dan Kaminsky has kindly published a checker tool on his blog, so you too can see if the DNS you’re using is vulnerable. It’s the least he could do.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.