July 11, 2008 1:01 PM PDT

Security Bites 107: Dan Kaminsky talks about responsible vulnerability disclosure

by Robert Vamosi
  • Font size
  • Print
  • 2 comments

Dan Kaminsky at DefCon in 2006.

(Credit: Declan McCullagh / CNET News)

In the middle of a flood of news surrounding a serious vulnerability within the fundamental structure of the Domain Name System (DNS) is the story of how researcher Dan Kaminsky chose to handle his discovery and, hopefully, it's mitigation. What Kaminsky did was coordinate several vendors in a multiparty, simultaneous release of a patch--a patch that he feels doesn't lend itself to easy reverse engineering.

For the moment, Kaminsky is not talking details. He's hoping that people will apply the various patches, update their DNS servers and clients, and do so before the bad guys can craft their exploits. He's giving everyone 30 days before he spills the technical details at this year's Black Hat conference in Las Vegas in August.

Kaminsky, director of penetration testing at IOActive, is no stranger to discovering vulnerabilities. In this case, however, he says he wasn't looking for the DNS flaw but after three days of testing he knew he had something important.

In this week's Security Bites podcast interview, Kaminsky talks about what goes through his mind when he hits upon a suspected vulnerability and how he decides to proceed from there, and what he's learned thus far from the whole DNS patch experience.

A transcript of this podcast can be found here.


Listen now: Download today's podcast

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security,

Podcasts

Tags:

Security Bites,

Dan Kaminsky,

DNS,

Black Hat,

Las Vegas,

Domain Name System

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security Bites podcast
Security Bites 122: IBM sees security challenges ahead
Security Bites 121: What Microsoft's Geneva means for online IDs
Security Bites 120: When social networks host malware
Security Bites 119: Does the Internet need its own Interpol?
Security Bites 118: Voting in America
Security Bites 117: How 'Clickjacking' attacks hide behind the mouse
Security Bites 116: Investigating data breaches
Security Bites 115: Inside ID fraud's underground forums
Related
Microsoft plugs zero-day IE hole
Reporters' Roundtable Podcast: Biggest tech stories of 2009
Using Facebook and Twitter safely
To troll or not to troll, is that the question?
Google wants to unclog Net's DNS plumbing
Firefox, Adobe top buggiest-software list
Adobe Security Issue: Reader, Acrobat vulnerabilities exploited
What to expect at CES 2010
Add a Comment (Log in or register)
by Tergon July 11, 2008 3:22 PM PDT
Mp3 cuts out at 10:23 says "We ended up Choosing a fix that would. . . "
This happens both on the podcastpost and here on cnet.com. Please Repost this Podcast as this is probably the most important fix since companies started patching instead on just new releases
Reply to this comment
by Robert Vamosi July 14, 2008 10:01 AM PDT
Yes, there was a technical glitch with the MP3 file on Friday. I apologize for the inconvenience. I have since reposted the file and as of Monday morning it now plays in full.

I have also published a transcript of the interview here.
Reply to this comment
Subscribe to the Security Bites podcast

Subscribe to this podcast using an RSS reader other than iTunes

Subscribe to this podcast using iTunes

advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security Bites podcast

Backdoors, pharming, botnets, phishing, rootkits, viruses, worms. Feeling vulnerable? Every Friday, CNET.com's Robert Vamosi will tell you about the latest security threats, what's coming, and how to protect your system.



View all Security Bites podcast episode blog entries

Add this feed to your online news reader

Security Bites podcast topics

Related links
Robert's Defense in Depth blog
CNET's Security Center
Security news
Security blogs
Spyware, viruses, & security forum
Top security and spyware downloads
Other CNET podcasts
Meet the host of Security Bites
Robert Vamosi Robert Vamosi has appeared on CNN, NBC, ABC, MSNBC, and various other media outlets as an expert on computer viruses, spyware, identity theft, phishing, and other criminal activities on the Internet.
advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET