Comments on: Column: The man who changed Internet security

Future vulnerability disclosures should benefit from Dan Kaminsky's responsible handling of Tuesday's DNS flaw.

[inachu]

I miss the days where most govt agencies had their own BBS.
Using telnet and going into various areas just exploring.
I went from my local library to MIT then onto NIST then onto some tokyo university BBS retracing mysteps it went all the way around the world through nasa then loggen back into my library.
Sad to see we can't do that anymore. No more wild jungle.

[tekwiz4u]

It's commendable what he did. He wasn't in it for bragging rights, like most of the hackers out there. The exploit would have been bad for all of us. But he took it upon himself to be responsible to benefit the greater whole. Good job.

[n3td3v]

Media hype and clever marketing for Blackhat security conference.

Let's find out who is making the money, this vulnerability is over hyped.

[The_Decider]

Responsible? Only because the parties involved took it seriously.

If they had not and Kaminsky hadn't disclosed it would have been irresponsible. The black hats would have found it eventually leaving everyone at the mercy of them.

Full disclosure is always better than those idiots who think there is any merit to security through obscurity.

[RobertinOhio]

As a security professional whom is certified I still do not see the value of this "admiral approach" to releasing of security incidents and vulnerabilities. Yeah Dan Kaminsky has made a name for himself in the security community. If he was just some other schmo...then he would have never seen the inside of any vendor's office. My name does not mean jack so I know I am not going to pick up the phone and get a meeting at Cisco or Microsoft in a couple of days to discuss the issue with them. I am going to put my discovery on Bugtraq and if the internet gets shut down in North America as a result...oh well.

BUT...if I do sit on it and a hacker finds the exploit and then I come out afterward, I get nailed for not sharing it. D-amned if I do and d-amned if I don't. The good guys always loose.

Another thing I have learned is usually the hacker will almost always win. All you can do is contain, eradicate, and learn from attacks and exploits to make it harder for them to break in. Not sharing your discoveries from the general public and only with vendors is most certainly NOT the way to resolve these issues however. I do not commend Dan Kaminsky for his actions, he is setting a BAD precedent. One that unfortunately Infragard, another organization with a history of one way traffic with information, follows.

[DanKaminsky]

Robert--

The vendors have become pretty good at responding to stuff -- and, of course, if you do find something of technical value, please feel free to contact me and I will be happy to help. I'm trying to find a balancing point between not releasing (which leads to no patches, and/or no deployment of patches) and releasing in a problematic manner (i.e. even those places that are responsible, and do maintain their security, are still hit). Maybe this isn't perfect, but please give me the benefit of the doubt until you know just what I've found.

[RobertinOhio]

Dan,

I think vendor response is again a matter of perspective. I work PCI vulnerabilities almost exclusively and you would be amazed when a vulnerability is discovered and the vendor considers it an "enhancement" and they want money to correct it!

I take care of my personal data because I know it is a free for all out there. But to be honest, I am not getting that meeting with Micro$oft. Ain't happening. I know people who have doing security work for 15+ years and have government experience. They are not getting access either. We get Bugtraq. So to be honest, I am not going to any sleep at night if AT&T's North American network drops if I post a vulnerability in some system on Bugtraq. Period. If I am to at the mercy of the free for all, I will play the game as a free for all.

On a side note, I do not have much of an issue with retaliation against attackers either. Then again, I might have a bit more flexible ethics and morals than most people. I think if the internet were viewed from this perspective, security WOULD be become everyone's business instead of a slogan on a poster.

Security is like any other field. It is a who knows who, political football, and "do we have the money to fix that" field.

[RobertinOhio]

Sorry..I mean to say "I will not LOSE any sleep at night if AT&T blah blah" in my response. Sorry for the bad grammar.

[DanKaminsky]

Decider--

I agree. It's only because the vendors were so amazingly responsive that this path could be taken at all. If they'd been lame, we'd be screaming at them for being so. So, they weren't lame, in all fairness they deserve some appreciation for that.

[n3td3v]

Dan Kaminsky is making money out of this there is no doubt.

If he hadn't circled his disclosure around a profiteering security conference I wouldn't bash this **** so much.

Because he has circled his disclosure around a big security conference, I know his motivation is money.

I don't know who he has been shaking hands with and what money has been exchanged, but this is something for the government to wire tap on.

[mehap]

So what if he is making/indulging in making money?

Your whole system is geared on making money.

How do you survive mate?

[DanKaminsky]

n3td3v--

Dude, did you miss the fact that Defcon is like three days later? Black Hat is just practice for Defcon :) Seriously, the last big talk was Seattle Toorcon. Rickrolling the Internet isn't exactly profit source number one.

[Mteicher]

"gravitas and reputation" what have happenned to scanrand, and million mile per hour port scanner he once purported would trump most commercial scanners. Isn't this just hype to pump up hits to IOActive. How does this help the community at large. Why doesn't do something to help the environment like pick up trash off the side of the highways. Or help the NHSTA design better bridges ??

[Seaspray0]

I admire Dan for doing the right thing. So often people only think of themselves. Dan did what was best for all of us. While it doesn't grab the emediate monetary benefits he could have gained, it shows great integrity and that does count when it comes to working relationships. It's hard to find people whom you can trust these days, and when you do, you will want to do business with them. Good luck to you, Dan.