(Page 2 of 2)
Rich Mogull, an analyst with Securosis, says, "This is something that absolutely affects everyone who uses the Internet today." While he notes that most home users won't have to take action to address the flaw, he stresses that it's very important for businesses to make sure that they've covered their bases. "It is an absolutely critical issue that can impede the ability of any business to carry out their normal operations," he says.
Although Kaminsky was careful to avoid giving out too much information about the flaw that he discovered, he did say a few things about the nature of the fix. When a domain name server responds to a request for a website's location, it provides a confirmation code that is one of 65,000 numbers, as assurance that the transaction is authentic. "What has been discovered," Kaminsky says, "is that, for undisclosed reasons, 65,000 is just not enough, and we need a source of more randomness." The new system will require the initial request to include two randomly generated identifiers, instead of the one it now contains. Both identifiers will automatically be returned in the server's response. Kaminsky likens this to sending mail. Before the patch, it was possible to send a letter signed on the inside, but without a return address. After the patch, all "mail" sent from domain name system servers must include both a "signature"--the confirmation code--and the "return address"--the source port information.
Jeff Moss, CEO of Black Hat, a company that organizes conferences on security, stresses the importance, not only of the vulnerability, but also of the approach taken to patching it. "I don't even want to ask Dan [Kaminsky] how much money he could have gotten for this bug had he decided to sell it," Moss says.
Kaminsky says he's glad that vendors were willing to work together to address the flaw. "Something of this scale has not yet happened before," he says. "It is my hope that for any issue of this scale, especially design issues of this scale, this is the sort of thing that we can do in the future." He plans to release full details of the vulnerability next month at the Black Hat security conference in Las Vegas.
Dan Kaminsky discovered a fundamental problem and got people to care in time. We were lucky this time.
A researcher discloses the details of the major flaw he discovered earlier this year.
Internet worms, viruses, malicious software, netbots, spiders. It's a veritable jungle out there.
I am interested to see the details of this vulnerability to see how much they are blowing this out of proportion.
For the record the confirmation code is most likely a short which is 65536.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
rocketscience
7 Comments
Congraulations
A team of companies working together to resolve a computer breach and resolving it quietly before it could be mass exploited....great effort and many thanks!
Reply