Security group: Vulnerability disclosure is impractical
The scramble over Dan Kaminsky's DNS flaw discovery proves that full disclosure is simply not feasible. That's the contention made by Ira Winkler, president of the Internet Security Advisors Group, at the RSA Europe conference in London.
“I simply don't believe in full disclosure," Winkler said. "I realize that there are arguments on either side, but this case represents the best and worst about vulnerability disclosure.”
Winkler said he believes that the critical DNS flaw was already known to hackers before the researcher's discovery.
“Some people obviously knew about this years before, certainly at a government-agency level," he said. "I've worked with the NSA, and yes, they are trying to hack software – we'd all be pretty disappointed if they weren't!”
The DNS flaw enables hackers to “poison” the DNS cache, enabling malefactors to shunt legitimate site requests from users to malicious sites.
Security researcher Dan Kaminsky discovered the flaw and passed it onto vendors so they could patch the problem. However, a confidential briefing to other researchers was leaked, resulting in the availability of exploit code before the patch release date – timed to coincide with Kaminsky's Black Hat talk on the topic.
“It's always where public acknowledgment comes into it that things begin to go wrong, if there is ego involved, then there will be an exploit produced," he said. "Somebody always wants the dubious glory of being the first to publish new exploit code."
Since that happened, Kaminksky has admitted to erring in failing to notify anybody in the security research community of the vulnerability - which potentially put more people at risk.
"It's not something I'd ever do again," he said on his DoxPara Research blog earlier this month. "It's not just that you can't vouch for your own bugs. It's that, without peer review, you don't know what bugs people are going to think you're recapitulating, and you even don't really understand the severity of your issue."
But he defended his decision for partial disclosure, in this case.
"...If our goal is to protect customers, and one particular bug will affect almost all of them, and a phased disclosure of information will protect the greatest number of customers possible — then perhaps there's a place for this mode," he said.