Picture the scene at Security Blogs R Us:
“We’re so freakin’ clever, we’ve figured out Dan Kaminsky’s DNS vulnerability”
“Yeah, but what if someone else figures it out – won’t we look stupid if we post second to them?”
“You’re right – but we gave Dan our word we wouldn’t publish.”
“So we won’t publish, but we’ll have a blog article ready to go if someone else spills the beans, so that we can prove that we knew all about it anyway.”
“Yeah, but we’d better be careful not to publish it accidentally.”
>>WHOOP, WHOOP, WHOOP<<
“What was that?”
“The blog alert – someone else is beating us to the punch as we speak.”
“Publish or perish! Damn the torpedoes – false beard ahead!”
“What? Are you downloading those dodgy foreign-dubbed pirated anime series off BitTorrent through the company network again?”
“Yes – I found a way around your filters.”
It’s true (okay, except for all of the made-up dialog above), a blog at one of the security vulnerability research crews (ahem, Matasano) did the unthinkable and rushed a blog entry out on the basis that they thought someone else (ahem, Halvar Flake) was beating them to it. And now we all know. The genie is out of the bag, the cat has been spilled, and the beans are out of the bottle.
Now we all know how to spoof DNS.
Okay, so Matasano pulled the blog pretty quickly, but by then it had already been copied to server upon server, and some of those copies are held by people who don’t want to take the information off the Internet.
Clearly, Information Wants To Be Free.
There’s an expression I never quite got the hang of – “Information Wants To Be Free”, cry the free software guys (who believe that software is information, rather than expression, which is a different argument entirely) – and the sole argument they have for this is that once information is freed, it’s impossible to unfree it. A secret once told is no longer a secret.
There’s an allusion to the way in which liquid ‘wants to be at its lowest level’ (unless it’s liquid helium, which tends to climb up the sides of the beaker when you’re not looking), in that if you can’t easily put something back to where it used to be, then where it used to be is not where it wants to be.
So, information wants to be free, and Richard Stallmann’s bicycle tyre wants to have a puncture.
I can immediately think of only one extra piece of advice I’d have given to the teams patching this on top of what I said in my previous blog, and that’s something that, in testing, I find the Windows Server 2003 DNS server was doing anyway.
So, that’s alright then.
Well, not entirely – I do have some minor misgivings that I hope I’ve raised to the right people.
But in answer to something that was asked on the newsgroups, no I don’t think you should hold off patching – the patch has some manual elements to it, in that you have to make sure the DNS server doesn’t impinge on your existing UDP services (and most of you won’t have that many), but patching is really a whole lot better than the situation you could find yourself in if you don’t patch.
And Dan, if you’re reading this – hi – great job in getting the big players to all work together, and quite frankly, the secrecy lasted longer than I expected it to. Good job, and thanks for trying to let us all get ourselves patched before your moment of glory at BlackHat.