I think Kaminsky steps over the line when he says, Please, keep the speculation off the @public forums and IRC channels.
At this point, we have to assume that the black hats have already puzzled out the bugor will do so very soon. As usual, the only people left in the dark will be the white hats and the working system administrators.
Im still pretty annoyed at the handling of the recent security bugs in Ruby. The Ruby developers said, Here are some security patches which you must apply right now, but we wont say why. The patches broke quite a few Ruby applications, andto make matters worsethe actual bugs had been publicly described in Ruby's source tree. Once you release patches, the bug is almost always a matter of public record, at least for anyone who cares to think about it for while. (The exception, perhaps, was the remote hole in ssh, which was first patched by privilege separation.)
In the case of the DNS bug, I could understand a weeks embargo. But for Kaminsky to request that people not discuss why their systems are vulnerable is ridiculous. As system administrators, its our job to secure our employers systems. And to do that, we need to be able to discuss security problems. And since Kaminsky specifically requests keeping speculation out of public forums, hes admitting that he expects other people to figure it out, presumably including sufficiently dedicated black hats. So what purpose is served by the embargo?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds