Out of Cookies
Thirty minutes before Kaminsky took the stage at Black Hat to reveal the details of the flaw at last, people started to flood the ballroom at Caesar’s Palace in Las Vegas. The speaker preceding Kaminsky hastened to wrap things up. Seats ran out, and people sat cross-legged on every square inch of carpet. Kaminsky’s grandmother, who was sitting in the front row, had baked 250 cookies for the event. There were nowhere near enough. Kaminsky walked up to the podium. “There’s a lot of people out there,” he said. “Holy crap.” Kaminsky is tall, and his gestures are a little awkward. As of early August, he said, more than 120 million broadband customers had been protected, as Internet service providers applied patches. Seventy percent of Fortune 500 companies had patched their systems, and an additional 15 percent were working on it. However, he added, 30 to 40 percent of name servers on the Internet were still unpatched and vulnerable to his 10-second cache-poisoning attack. Onstage, he flipped between gleeful description of his discovery’s dark possibilities and attempts to muster the seriousness appropriate to their gravity. He spoke for 75 minutes, growing visibly lighter as he unburdened himself of seven months’ worth of secrets. As he ended his talk, the crowd swept close to him, and he was whisked off by reporter after reporter. Even those security experts who agreed that the vulnera­bility was serious were taken aback by Kaminsky’s eager embrace of the media attention and his relentless effort to publicize the flaw. Later that day, Kaminsky received the Pwnie award for “most overhyped bug” from a group of security researchers. (The word “pwn,” which rhymes with “own,” is Internet slang for “dominate completely.” Kaminsky’s award is subtitled “The Pwnie for ­pwning the media.”) Dai Zovi, presenting the award, tried to list the publications that had carried Kaminsky’s story. He gave up, saying, “What weren’t you in?”“GQ!” someone shouted from the audience. Kaminsky took the stage and spat out two sentences: “Some people find bugs; some people get bugs fixed. I’m happy to be in the second category.” Swinging the award–a golden toy pony–by its bright pink hair, he stalked down the long aisle of the ballroom and out the door. Who’s in Charge?
Depending on your perspective, the way Kaminsky handled the DNS flaw and its patch was either dangerous grandstanding that needlessly called public attention to the Internet vulnerability or–as Kaminsky sees it–a “media hack” necessary to train a spotlight on the bug’s dangers. Either way, the story points to the troubling absence of any process for identifying and fixing critical flaws in the Internet. Because the Internet is so decentralized, there simply isn’t a specific person or organization in charge of solving its problems.And though Kaminsky’s flaw is especially serious, experts say it’s probably not the only one in the Internet’s infrastructure. Many Internet protocols weren’t designed for the uses they’re put to today; many of its security features were tacked on and don’t address underlying vulnera­bilities. “Long-term, architecturally, we have to stop assuming the network is as friendly as it is,” Kaminsky says. “We’re just addicted to moving sensitive information across the Internet insecurely. We can do better.” Indeed, at another security conference just days after Kaminsky’s presentation at Black Hat, a team of researchers gave a talk illustrating serious flaws in the Internet’s routing border gateway protocol. Like Kaminsky, the researchers had found problems with the fundamental design of an Internet protocol. Like the DNS flaw, the problem could allow an attacker to get broad access to sensitive traffic sent over the Internet.