Did Dan Kaminsky save the Internet?
Yes and no.
He paraded around the press room (in the limited time I was there avoiding being hacked by French journalists/hackers) like he was a conquering hero, promoting himself and his message.
Most of the journos in the room threw him adoring comments and questions like “So was this really a big deal?” to which Kaminsky would sarcastically reply, “Naaaw, not really.” I saw him hold court with a few journalists, and he seemed to really be enjoying himself.
Sure, it’s good for Kaminsky — but is it good for the rest of us?
Since the day when I first wrote about Kaminsky’s warning a month ago, I’ve been bombarded by PR pitches, vendors and pundits all claiming to know better. I heard from the ISC — the dudes that manage BIND (define) and they thought it was serious. I talked to the CTO of VeriSign, the folks that run .com and .net, and they had their own views.
As a person who has set up and maintained DNS (always BIND) over the years, I know full well how hard it can sometimes be to troubleshoot issues. I also know that there are plenty of vulnerabilities in older versions of BIND DNS servers (and others) — and plenty of older DNS servers still operational.
Those older DNS servers represent a silent threat to the integrity of the Internet. Why don’t people upgrade? DNS is like plumbing: If it’s working, you just leave it alone and don’t touch it for fear of breaking it.
Kaminsky changed that by raising the specter of impeding doom.
I’m not certain that his new flaw is more serious than some of the others that might exist in older versions of DNS servers. I am certain, however, that his flaw was new. I am also certain that Kaminsky has done more than any other human in history to raise awareness on a single security issue.
The silent threat that had been lurking in the plumbing of the Internet is silent no more.
DNS is critical infrastructure and it is something that should have been taken more seriously all along. As Kaminsky himself said in his talk at Black Hat, the flaw that he discovered should never have been allowed to happen.
The DNS attack, if it were fully weaponized in a way that could be self-replicating, could have caused problems for Web site users. It could have caused trouble for all e-mail users, too.
Certainly, there are ways to mitigate the risks outlined by Kaminsky, SSL and DNSSEC being two of them. I hope that the Kaminsky hype will also driver broader adoption of SSL as well as pushing DNSSEC further into the mainstream.
The flaw that Kaminsky found has been patched, but it’s still only a Band-Aid, in my opinion. The patch increased the odds against a DNS cache-poisoning attack, but it doesn’t eliminate them. At the core of the Internet itself, VeriSign is continuing to make investments in its own Project Titan effort that will scale up and further protect is authoritative DNS servers (which, by the way, were never at risk from Kaminsky’s flaw).
Kaminsky’s own epic task of rounding up hundreds of vendors and ISPs to take this issue seriously is something for which he should be universally admired and respected. No doubt some money changed hands and Kaminsky overall will profit.
Overall, though, I got the genuine impression that Kaminsky was on a Messianic quest to save the Internet from itself. In the final analysis, we may never know whether or not the Internet really needed a savior — thanks, ironically enough, to Kaminsky’s own efforts.
Article courtesy of InternetNews.com