Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

The DNS Debacle In Poetic Review

A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw

He decided than rather
to disclose all at once
he'd instead only tell people
who'd fix it in months

So some meetings were had
and work soon began
vendors wrote patches
coordinated by Dan

Fast forward some time
out the closet it came
some researcher types
got into the game

Dan's rules were quite simple,
that in 30 days
he'd present during Blackhat
and we'll all be amazed

A bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuff

So Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsided

It seems that Dan's warnings
weren't baseless at all
Said the same skeptical hackers
"the risk isn't that small!"

So Blackhat was nearing
the web didn't break
then out came a theory
from our friend Halvar Flake

No sooner had he posted
and described the vuln's guts
than Matasano's blog surfaced,
kicked the web in the nuts

It said "Halvar's right!"
we'll no longer keep quiet.
The post's ripple effect
caused a nasty 'net riot

The blog quickly was pulled
but the cat's out of the bag
the arms race began
since there's no longer a gag

Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bust

So Dan's days of thirty
we never did see
thirteen is OK
but I issue this plea

When researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?

This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have known

If the point here is really
to secure and protect
then consider what image
you really project

In this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiled

The arms race has started
and the clock now is ticking
If you haven't yet patched
you'll soon take a licking

I'm not taking sides really
on the disclosure debate
but rather the topic
of patch early or late

What good is disclosure
if the world couldn't cope
with the resultant attacks
if we've all got just hope?

There's two sides to this issue
both deserve merit
but Dan's rep has been smeared
I say let's just clear it

Rational Survivability: The DNS Debacle In Poetic Review
Reposted fromfukami fukami

Don't be the product, buy the product!