On The Internet, There Are No Secrets - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
7/22/2008
08:21 AM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

On The Internet, There Are No Secrets

One thing is true about the security research community, it is populated by people that don't like to be told what to do or how to act. Halvar Flake thought the way the DNS disclosure was handled was OK, but didn't think the discussion blackout would be useful. So setting off as a DNS novice, he spent a few hours figuring out the problem. He got pretty close, too. So then Matasano Security

One thing is true about the security research community, it is populated by people that don't like to be told what to do or how to act. Halvar Flake thought the way the DNS disclosure was handled was OK, but didn't think the discussion blackout would be useful. So setting off as a DNS novice, he spent a few hours figuring out the problem. He got pretty close, too. So then Matasano Security disclosed and then pulled the details. By then it was too late.There has been this creeping silence in movement in responsible disclosure to keep information from the folks who need it. I have never been a fan of responsible disclosure, but I understand the arguments. Notify vendors about problems and allow them time to fix it, then when the patch is released, publish the details. The hope is that vendors will patch problems in a reasonable time frame and that IT administrators will patch. If they want, they also can review the technical details and maybe even develop a check.

That's all well and good, but Dan Kaminsky's recent advisory took the unusual step in that 1) the details weren't released at the time of the advisory/patch and 2) he asked others to keep the details quiet if they figured it out. The question is why? The stated reason is to give organizations the time to patch their DNS servers before the bad guys figured out the exploit. Well, that's just wishful thinking.

If you want to keep a secret, don't tell anyone. If you do tell someone a secret, chances are, they will tell someone else. Your secret is gone. It's amazing that Kaminsky and the vendors working on the patch were able to keep the secret for the 8 months they were coordinating the patch. But once the news is out, it's only a matter of time before the bad guys figure out what the problem is and how to exploit it. For that matter, once a patch is released, reverse engineering the patch to find the vulnerability is like leaving a trail of bread crumbs for anyone skilled enough to follow. There are even investigations by researchers at Carnegie Mellon, UC Berkeley, and University of Pittsburgh into automating the process.

Kaminsky violated rule #1 in security: obscurity doesn't work. Ever. In fact, the way this whole thing was managed, Kaminsky was practically begging for someone to come along and break the details. Does anyone think the bad guys were not working on this very problem the moment they saw the announcement and ensuing speculation? Or that they couldn't figure it out in a short time? Of course not.

I think the 30-day suppression period, time to fill Kaminsky's session at Black Hat in Vegas, hurt more than it helped. The backlash and speculation wasn't stemmed. The details still came out early. And really, if you hadn't patched your DNS by now, is this going to motivate you? Probably not. But next time, just come clean with the details when the advisory and patch is announced, lest you be outted by your peers.

One last thing. The details are being pulled from sites that have it posted. You can find the details on Slashdot. Or you can e-mail me and I will send it to you.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll