Mark Mayne
October 29, 2008

Security group: Vulnerability disclosure is impractical

The scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible. That's the contention made by Ira Winkler, president of the Internet Security Advisors Group, at the RSA Europe conference in London. 

“I simply don't believe in full disclosure," Winkler said. "I realize that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure.”

Winkler said he believes that the critical DNS flaw was already known to hackers before the researcher's discovery.

“Some people obviously knew about this years before, certainly at a government-agency level," he said. "I've worked with the NSA, and yes, they are trying to hack software – we'd all be pretty disappointed if they weren't!”

The DNS flaw enables hackers to “poison” the DNS cache, enabling malefactors to shunt legitimate site requests from users to malicious sites.

Security researcher Dan Kaminsky discovered the flaw and passed it onto vendors so they could patch the problem. However, a confidential briefing to other researchers was leaked, resulting in the availability of exploit code before the patch release date – timed to coincide with Kaminsky's Black Hat talk on the topic.

“It's always where public acknowledgment comes into it that things begin to go wrong, if there is ego involved, then there will be an exploit produced," he said. "Somebody always wants the dubious glory of being the first to publish new exploit code."

Since that happened, Kaminksky has admitted to erring in failing to notify anybody in the security research community of the vulnerability - which potentially put more people at risk.

"It's not something I'd ever do again," he said on his DoxPara Research blog earlier this month. "It's not just that you can't vouch for your own bugs. It's that, without peer review, you don't know what bugs people are going to think you're recapitulating, and you even don't really understand the severity of your issue."

But he defended his decision for partial disclosure, in this case.

"...If our goal is to protect customers, and one particular bug will affect almost all of them, and a phased disclosure of information will protect the greatest number of customers possible — then perhaps there's a place for this mode," he said.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

Bitcoin mining botnet has become one of the most prevalent cyber threats

Fortinet researchers have tracked 100,000 new ZeroAccess trojan infections per week, making the botnet very lucrative to its owners.

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.