I meant to write about this back when the story broke, but I got caught up in non-blog activities. Anyway, I just want to say that I think Dan Kaminsky is my kind of hacker. He may have been criticized by some for how he handled the DNS flaw he uncovered — and he ultimately admitted that he was wrong in his approach — but I fully believe he said what he said and did what he did (or didn’t do what he didn’t do) for all the right reasons.
A flaw that’s common to basically every DNS server on the net, essentially a vulnerability that’s woven into the fabric of the net itself, HAS to be handled very carefully, quietly, quickly, and decisively. Dan didn’t want to risk any unnecessary leakage of the flaw’s details, so he kept the details more or less to himself while he worked with vendors across the board to come up with a multi-vendor patch. Eventually, he was kind of forced to reveal the details when another researcher (or group) correctly guessed the nature of the flaw. However, I believe that Dan’s actions probably saved what could have been a massive attack before most of the vendors, ISPs, and clients could be patched.
An interesting sideline to this story is that I was pretty well safe from this flaw even before I read about it. See, since I use Linux (Ubuntu) at home, I was safe from a client perspective because the Debian/Ubuntu patches for BIND and other DNS-related services were available only a couple of days after Dan first disclosed the flaw. Second, I have a friend who suggested I switch my network to use OpenDNS instead of my ISP’s DNS servers. Great decision, not only because OpenDNS allows me to do some very nice, unobtrusive filtering, but because OpenDNS’ servers were patched very early also.
I typically don’t worry too much at all about viruses and other OS or application vulnerabilities, simply because of the fact that I use Linux and open source software. But it’s nice to know I’m safe even from a net-wide, ground-level flaw like this one. This was a flaw in the infrastructure of the net itself, but the infrastructure of my net kept me safe when I didn’t even know there was a risk.
By the way, if you wonder whether you’re still vulnerable, or at least whether your ISP’s DNS servers are vulnerable, check out Dan’s handy DNS checker he put together, right on the front page of his website. Very cool.