Dan Kaminsky was finally successful in getting the security research community to back his claims to the design flaw with DNS. After months working with vendors to create and distribute patches, he admitted that he made a mistake and didn’t realize that “you don’t get to make a whole bunch of noise without some technical details to back it up.”
According to Computer World, Kaimshy said, “I’m the DNS guy in the Black Hat community, so if I’m saying it’s bad, then it’s bad. It didn’t occur to me that people would question it… My concern the entire time was that the public would panic, so I was thinking, ‘How do we get an orderly patch when this has never happened before?’”
And question it they did. After the Tuesday announcement, several notable names questioned the validity of this claim.
To alleviate the technical dubiousness of his claim, Kaminshy held a conference call with three security researchers. The first man was Thomas Ptacek of Matasano Security, who led the attack against his claim. The other researcher was Dino Dai Zovi, winner $10K price in the “Pwn to Own” contest and fellow skeptic to Kaminshy’s claim, was also apart of the meeting. After the call, they both were convinced that the DNS flaw was credible and critical.
“Dan’s got the goods,” Ptacek said in the Matasano blog.
“Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined,” Dai Zovi said in his blog. “When the full details of Dan’s attack come out, you will most likely be impressed. I definitely was.”
However, Ptacek did question Kaminsky’s methods in dealing with the problem. He believes that Kaminsky should have gone public about the flaw first. Kaminsky says he learned from his mistake.
I’m very happy with how this all turned out. I’m very pleased that people are patching… But peer review is important. If there’s no full disclosure, there has to be at least peer review. I agree with the skeptical reaction. If it happened again, I would never do it this way. I’d still try to delay disclosure, but I’d bring in other voices.
Kaminsky is scheduled to give a presentation on the DNS flaw on August 7th during the Black Hat convention, which lasts from August 2-7th in Las Vegas.