Update: Check it out! Leo Laporte and Steve Gibson read my poem on their Security Now podcast. Thanks for the radio voice, Leo!
--
A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw
He decided than rather
to disclose all at once
he'd instead only tell people
who'd fix it in monthsSo some meetings were had
and work soon began
vendors wrote patches
coordinated by DanFast forward some time
out the closet it came
some researcher types
got into the gameDan's rules were quite simple,
that in 30 days
he'd present during Blackhat
and we'll all be amazedA bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuffSo Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsidedIt seems that Dan's warnings
weren't baseless at all
Said the same skeptical hackers
"the risk isn't that small!"So Blackhat was nearing
the web didn't break
then out came a theory
from our friend Halvar FlakeNo sooner had he posted
and described the vuln's guts
than Matasano's blog surfaced,
kicked the web in the nutsIt said "Halvar's right!"
we'll no longer keep quiet.
The post's ripple effect
caused a nasty 'net riot
The blog quickly was pulled
but the cat's out of the bag
the arms race began
since there's no longer a gag
Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bustSo Dan's days of thirty
we never did see
thirteen is OK
but I issue this pleaWhen researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have knownIf the point here is really
to secure and protect
then consider what image
you really projectIn this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiledThe arms race has started
and the clock now is ticking
If you haven't yet patched
you'll soon take a lickingI'm not taking sides really
on the disclosure debate
but rather the topic
of patch early or lateWhat good is disclosure
if the world couldn't cope
with the resultant attacks
if we've all got just hope?
There's two sides to this issue
both deserve merit
but Dan's rep has been smeared
I say let's just clear it
--
Happy patching everyone! ;(
/Hoff