Yesterday I linked to a post on the DNS vulnerability that is looming over the internet right now. At the request of the author, I pulled that post shortly afterwards due to him posting before he was supposed to. I honored the request, but here is a few things that I think need to be said:

  1. It’s not like this vulnerability was black magic or anything. I’ve only been in the security field for a few years, but teamed with many years of system administration, I was able to guess pretty much spot on what the vulnerability was and how to take advantage of it from the information at hand.
  2. Let’s not kid ourselves. If we think we have something that is absolutely groundbreaking, it’s probably not in reality. Unless you just figured out a way to make cars run off of water or a way to wirelessly charge laptops and other devices, or some other revolutionary fix to some great problem at hand, it’s probably been thought of by others before. In approximately 2000 or 2001 while implementing a new DNS implementation, I spent some time with the intricates of how DNS works and thought to myself that the whole “ticket system” was weak and could be exploited. Low and behold only 7 years later it is confirmed. I’m not claiming to be God here, but come on people, anyone that has ever pulled off a man-in-the-middle attack has the knowledge to exploit this flaw if even only in theory. (edit: Please don’t read this as an attack on Dan or any of the other intelligent researchers that found this flaw. I have the utmost respect for Dan and the others involved and would never want to belittle their work. This and the other thoughts in this post are meant to be general comments on disclosure as a whole and not picking on anyone involved in this particular vulnerability.)
  3. No disclosure is not necessarily a Good Thing ™. In this case, I found it a little hard to urge some individuals to patch ASAP without a known exploit in the wild or even documents explaining the vulnerability. (Some people want it all laid out so they can judge severity for themselves.)
  4. Finger pointing is so Old School ™. Does it really matter who let the cat out of the bag? Even if you weren’t one of those “in the know” (I wasn’t) if you had any experience with DNS and/or security you had a pretty darn good idea what this was. If you are not on the up and up with being ethical on the internet, you were/are pretty damn close to a working exploit, if you don’t already have one.

I know this might cause some heartburn with some, but let’s face it, the “good guys” are usually one step behind the “bad guys” and I don’t think this was any exception. Maybe we (previously stated “good guys”) happened to stumble upon this particular flaw first, but as soon as anything was said, especially when the vulnerability was supposed to have something to do with the QID, it was pretty easy to assemble what was flawed and how to theoretically exploit it.

Remember to be civil in the comments. Focus all the negative energy on patching, which will actually help us as a whole at this point…