Once upon a time being a hacker required deep skill in arcane arts and links to near-mythical chat boards where initiation ceremonies make the Freemasons look tame. Now all you have to do is read Techmeme, it seems. Nice article by Larry Dignan here on ZDNet re all the
scares on internet security, tallies with what I was thinking:
Thus far this summer, the Internet has not cracked, even though Dan Kaminsky basically revealed all the details of a flaw in the Domain Name System that could have led to a train wreck on the Internet. Thankfully, he cautiously provided the details, so patches could be put in place to prevent identities of users of banking and other sites on the Web to be hijacked, first.
Now, two security researchers have demonstrated how huge amounts of unencrypted Internet traffic can be siphoned off through the Border Gateway Protocol. One computer expert said in this Wired article that he “went around screaming my head about this about ten or twelve years ago” to intelligence agencies and to the National Security Council to no effect.
That’s the point. So far, the black hats haven’t shown they are smart enough to exploit hijack IDs through the DNS flaw or Internet traffic through the BGP eavesdropping.
Meanwhile, though, there seem to be plenty of dumb guys in white hats, making life miserable for thousands or millions of computer and Web users.
The Kaminsky affair sent us scurrying around our own DNS (see
Dave's thoughts here), and I also felt that in this sort of situation, a bit of dignified silence in public forums wouldn't hurt. Serious question though is, how should one disseminate data of this sort? I can't believe there are not people at all the major Telcos, ISPs, standards bodies and manufacturers who could not be tipped off first.
Thoughts?
(Dave notes that Dan Kaminsky did actually get all the DNS vendors together in secret to work on patches before the flaw was publicly
announced. The news did leak, but the vendors still got a good head start. The usual model when a "good guy" discovers a vulnerability is to give the vendor 30, 60 or even 90 days to fix it before going public. Most security people seem to regard this system as imperfect, but no one can think of a better one!)