Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Out of Cookies
Thirty minutes before Kaminsky took the stage at Black Hat to reveal the details of the flaw at last, people started to flood the ballroom at Caesar’s Palace in Las Vegas. The speaker preceding Kaminsky hastened to wrap things up. Seats ran out, and people sat cross-legged on every square inch of carpet. Kaminsky’s grandmother, who was sitting in the front row, had baked 250 cookies for the event. There were nowhere near enough. Kaminsky walked up to the podium. “There’s a lot of people out there,” he said. “Holy crap.” Kaminsky is tall, and his gestures are a little awkward. As of early August, he said, more than 120 million broadband customers had been protected, as Internet service providers applied patches. Seventy percent of Fortune 500 companies had patched their systems, and an additional 15 percent were working on it. However, he added, 30 to 40 percent of name servers on the Internet were still unpatched and vulnerable to his 10-second cache-poisoning attack. Onstage, he flipped between gleeful description of his discovery’s dark possibilities and attempts to muster the seriousness appropriate to their gravity. He spoke for 75 minutes, growing visibly lighter as he unburdened himself of seven months’ worth of secrets. As he ended his talk, the crowd swept close to him, and he was whisked off by reporter after reporter. Even those security experts who agreed that the vulnera­bility was serious were taken aback by Kaminsky’s eager embrace of the media attention and his relentless effort to publicize the flaw. Later that day, Kaminsky received the Pwnie award for “most overhyped bug” from a group of security researchers. (The word “pwn,” which rhymes with “own,” is Internet slang for “dominate completely.” Kaminsky’s award is subtitled “The Pwnie for ­pwning the media.”) Dai Zovi, presenting the award, tried to list the publications that had carried Kaminsky’s story. He gave up, saying, “What weren’t you in?”“GQ!” someone shouted from the audience. Kaminsky took the stage and spat out two sentences: “Some people find bugs; some people get bugs fixed. I’m happy to be in the second category.” Swinging the award–a golden toy pony–by its bright pink hair, he stalked down the long aisle of the ballroom and out the door. Who’s in Charge?
Depending on your perspective, the way Kaminsky handled the DNS flaw and its patch was either dangerous grandstanding that needlessly called public attention to the Internet vulnerability or–as Kaminsky sees it–a “media hack” necessary to train a spotlight on the bug’s dangers. Either way, the story points to the troubling absence of any process for identifying and fixing critical flaws in the Internet. Because the Internet is so decentralized, there simply isn’t a specific person or organization in charge of solving its problems.And though Kaminsky’s flaw is especially serious, experts say it’s probably not the only one in the Internet’s infrastructure. Many Internet protocols weren’t designed for the uses they’re put to today; many of its security features were tacked on and don’t address underlying vulnera­bilities. “Long-term, architecturally, we have to stop assuming the network is as friendly as it is,” Kaminsky says. “We’re just addicted to moving sensitive information across the Internet insecurely. We can do better.” Indeed, at another security conference just days after Kaminsky’s presentation at Black Hat, a team of researchers gave a talk illustrating serious flaws in the Internet’s routing border gateway protocol. Like Kaminsky, the researchers had found problems with the fundamental design of an Internet protocol. Like the DNS flaw, the problem could allow an attacker to get broad access to sensitive traffic sent over the Internet.

0 comments about this story. Start the discussion »

Credit: John Keatley

Tagged: Web, security, Internet, patches, bugs, Dan Kaminsky

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me