There are way too many great points and posts and thoughts about the Dan Kaminsky/DNS/exploit release issues flying around right now. There are even plenty that really rankle my tail feathers. Hence a quick rant to throw down my opinion.
Could Dan and HD Moore/I)ruid have handled things better/differently? Sure, but that’s hindsight for us, ain’t it? Whether it could have been better or not, the reality is already upon us and done. Stop whining. Your blog isn’t going convince security researchers to play nicer. (And quite frankly, I’d rather they continue to break shit.)
We all need to keep in mind that much of our lives as security geeks is a direct result of exploits being developed and released, no matter who develops or releases them. From actually getting action from our vendors to showing our dumb users the folly of their ways to actually getting mainstream awareness so that we can improve our budgets. All of that can likely trace roots back down to some exploit or in the wild POC or a better piece of software because someone poked a stick at it hard enough and long enough.
It’s almost sickening to see security professionals tripping over each other decrying so-an-so’s disclosure or so-and-so releasing an exploit. It almost feels like several people are trying to take the high road while saying “look at me, look at me!”
Isn’t that part of our game? Isn’t that a risk we face every single day? Neither this incident nor this exploit (and others like it release publically or privately) ultimately change anything. It was readily apparent from reading the speculation and confirmation of the DNS vuln to know that writing an exploit wasn’t going to be difficult and many people could/would do it. Hell, knowing Dan accidentally discovered it and that it was a design flaw should have been clue enough that this was not going to be something only 10 hackers in the world could write. The vendor response should have been clue enough…
And before decrying the ones who developed and weaponized it, remember that whether a white hat built it or not, the risk was still there. I for one would rather have good guys (or anyone) write an exploit and get the knowledge out there, rather than sit in a corner and pretend the cyberworld is happy and filled with laughing puppies and frollicking kittens. Again, this is part of our game as security professionals…again stop whining.
By the way, saying it is greed means you don’t understand the hacker or even IT ethic, and you probably aren’t really in touch with Internet culture nearly as close as you think you are. Sure, it might have been greed, but unless you know the person personally and for a fact that it was, pipe down; you just look jealous.
So I suppose that makes me part of the axis of evil “whiners” who disagree with this positioning but are dismissed because nothing we say could possibly change the status quo.
I disagree with many of the points your raise.
I’d love to take your post apart in a constructive way (as I’m having discussions like this with a couple of very notable “researchers,”) but I’m not convinced it would be received with the same, um, open mindedness that you’re suggesting I’m supposed to have about researchers.
Frankly, I don’t know what to do…perhaps I’ll have another beer. I’m on vacation.
/Hoff