Monday, Wired.com posted a very interesting article about a guy named Dan Kaminsky who, in the midst of a “Percocet-tinged haze” found a hole the size of the ocean in the the underpinnings of the Internet.
The story is interesting in itself as it underscores the ethereal nature of Internet security and, in very scary detail, highlights just how insecure the tools we rely on every day, for a “secure online experience,” can be.
In this case Dan Kaminsky turns out to be an altruistic knight in shining armor, who could have easily exploited the hole he found for fun and profit, and maybe a little jail time.
But here’s what really stuck in my craw. Kaminsky was very quiet about the problem. He essentially passed information about the hole he found onto  the Internet equivalent of Homeland Security, letting those who were in a position to fix the problem know that there was a gaping, terrible hole and that if it were to be discovered by someone else of lesser integrity, could quite possibly lead to some unparalleled evil.
Those that were given this information were incredibly discreet, making sure that any and every conversation they had on the subject was either behind closed doors, encrypted, or only talked about on landlines. These guys were very aware of the danger and knew that, without question, they had to keep their mouths shut.
But here’s the hoot. Kaminsky, justifiably, wanted to be able to announce what he’d found to the hacking community, so he asked that nothing be publicly announced by the “powers that be” and they agreed. But the Internet security community thought Kaminsky was grandstanding and withholding information for his own benefit. In order to quell the noise, Kaminsky agreed to hold a private conference with a select few Internet security people to clarify and verify the validity of the threat. The Wired piece goes on to state the following:Â
The call occurred July 9. Kaminsky agreed to reveal the vulnerability if Mogull, Dai Zovi, and Ptacek would keep it secret until the Vegas talk August 6. They agreed, and Kaminsky’s presentation laid it out for them. The security experts were stunned. Mogull wrote, “This is absolutely one of the most exceptional research projects I’ve seen.” And in a blog post Ptacek wrote, “Dan’s got the goods. It’s really f’ing good.”
Sure enough, legitimacy of the danger confirmed. Kaminsky’s right. Cool beans. But the article goes on to say:
And then, on July 21, a complete description of the exploit appeared on the Web site of Ptacek’s company. He claimed it was an accident but acknowledged that he had prepared a description of the hack so he could release it concurrently with Kaminsky. By the time he removed it, the description had traversed the Web. The DNS community had kept the secret for months. The computer security community couldn’t keep it 12 days.
 WTF?!? Isn’t this the COMPUTER SECURITY COMMUNITY? And weren’t these the very same people who were riding Kaminsky’s behind for holding onto the information until such time that 1) The hole was fixed, 2) Kaminsky was able to talk about the discovery that he had made.
The grandstanders, it appears, were the very guys that held themselves out as the “Protectors of the Internet,” (for a small profit of course) who “needed” this information in order to protect their client’s assets. The real hero? Dan Kaminsky, who only wanted to gain a little legitimate recognition for his considerable discovery. The real tools? The security community who, it appears, wanted to ride Kaminsky’s coattails for their own fame and fortune.
Dorks.
Scary good article that I’m sure I’ve now summarized way too much.