Rational Survivability: The DNS Debacle In Poetic Review

« No DNS Disclosure Debacle Here: Stiennon Pens the Funniest Thing I've Read in 2008... | Main | On Releasing PoC/'Sploit Code For Near Zero-Day Vulns »

July 23, 2008

The DNS Debacle In Poetic Review

Update: Check it out! Leo Laporte and Steve Gibson read my poem on their Security Now podcast. Thanks for the radio voice, Leo!

A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw

He decided than rather
to disclose all at once
he'd instead only tell people
who'd fix it in months
So some meetings were had
and work soon began
vendors wrote patches
coordinated by Dan
Fast forward some time
out the closet it came
some researcher types
got into the game
Dan's rules were quite simple,
that in 30 days
he'd present during Blackhat
and we'll all be amazed
A bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuff

So Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsided
It seems that Dan's warnings
weren't baseless at all
Said the same skeptical hackers
"the risk isn't that small!"
So Blackhat was nearing
the web didn't break
then out came a theory
from our friend Halvar Flake
No sooner had he posted
and described the vuln's guts
than Matasano's blog surfaced,
kicked the web in the nuts
It said "Halvar's right!"
we'll no longer keep quiet.
The post's ripple effect
caused a nasty 'net riot

The blog quickly was pulled
but the cat's out of the bag
the arms race began
since there's no longer a gag

Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bust
So Dan's days of thirty
we never did see
thirteen is OK
but I issue this plea
When researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?
This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have known
If the point here is really
to secure and protect
then consider what image
you really project
In this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiled
The arms race has started
and the clock now is ticking
If you haven't yet patched
you'll soon take a licking
I'm not taking sides really
on the disclosure debate
but rather the topic
of patch early or late
What good is disclosure
if the world couldn't cope
with the resultant attacks
if we've all got just hope?

There's two sides to this issue
both deserve merit
but Dan's rep has been smeared
I say let's just clear it

Happy patching everyone! ;(

/Hoff

Posted at 12:31 AM in Poetry | Permalink

Tags: Chris Hoff, Christofer Hoff, Dan Kaminsky, DNS, Full Disclosure, Halvar Flake, Matasano, Rational Security, Rational Survivability

Comments

Update: Check it out! Leo Laporte and Steve Gibson read my poem on their Security Now podcast. Thanks for the radio voice, Leo!

A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw

He decided than rather
to disclose all at once
he'd instead only tell people
who'd fix it in months
So some meetings were had
and work soon began
vendors wrote patches
coordinated by Dan
Fast forward some time
out the closet it came
some researcher types
got into the game
Dan's rules were quite simple,
that in 30 days
he'd present during Blackhat
and we'll all be amazed
A bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuff

So Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsided
It seems that Dan's warnings
weren't baseless at all
Said the same skeptical hackers
"the risk isn't that small!"
So Blackhat was nearing
the web didn't break
then out came a theory
from our friend Halvar Flake
No sooner had he posted
and described the vuln's guts
than Matasano's blog surfaced,
kicked the web in the nuts
It said "Halvar's right!"
we'll no longer keep quiet.
The post's ripple effect
caused a nasty 'net riot

The blog quickly was pulled
but the cat's out of the bag
the arms race began
since there's no longer a gag

Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bust
So Dan's days of thirty
we never did see
thirteen is OK
but I issue this plea
When researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?
This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have known
If the point here is really
to secure and protect
then consider what image
you really project
In this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiled
The arms race has started
and the clock now is ticking
If you haven't yet patched
you'll soon take a licking
I'm not taking sides really
on the disclosure debate
but rather the topic
of patch early or late
What good is disclosure
if the world couldn't cope
with the resultant attacks
if we've all got just hope?

There's two sides to this issue
both deserve merit
but Dan's rep has been smeared
I say let's just clear it

Happy patching everyone! ;(

/Hoff

About

Disclaimer

The views and opinions expressed here are those of Christofer Hoff only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Rational Survivability

PLEASE NOTE: I HAVE PERMANENTLY MOVED MY BLOG TO http://www.rationalsurvivability.com/blog <-- All these posts/comments have been moved there and all new posts since May 2009 appear there.

July 23, 2008

The DNS Debacle In Poetic Review

Comments

About

Disclaimer

Archives

Recent Posts

Recent Comments

Categories

May 2009