Dan Kaminsky recently announced a “major weakness in DNS. Lots of “speculation ensued as Dan decided to withhold details of the weakness until his talk at “BlackHat 2007. This riled some folks. (And someone even posted the vuln details to their blog, which then got cached in many rss readers. Oops! But thank you!)
Now, my opinion as an admin and sec geek is that Dan shouldn’t have waited to personally capitalize on this issue at BH2007, and instead should have disclosed the information necessary for me to make an informed security decision. I feel that I’m smart enough to be able to question and understand patches and vulnerabilties rather than be spoonfed vague, incomplete information about some mysterious weakness I should avoid with an unmarked pill. I am likely a minority in this regard, however. (Besides, doesn’t the hacker ethic sympathize with free disclosure [that kinda sounds better than ‘full disclosure…’] of information, especially as information tends towards being free anyway?)
But, I will never actually fault Dan for the decision he made. In fact, had it been me, I might have made the same decision. This is his decision (though this is arguable) and it likely earns him some deep cred in the DNS community and especially amongst the vendors. Instead of “black hat” cred with kids on the streets, he gets cred which could actually pay some bills. And in the middle are people like me who appreciate the work, don’t appreciate the half-disclosure, but in the end still benefit from his findings and work. A year from now, any misgivings about the approach will be gone, but the benefits to security will remain.
In the past few years, it is popular to say that black hat actions have become commercialized and criminal. Well, on the other hand white hat activities have also been commercialized.
On a side note, the whole “put up or shut up” mentality that Dan mentions is a two-edge sword (at least). On one hand, yes, it’s about security-minded people being paranoid and asking for the real details and questioning things. But on the other hand, it is the same tactic that children will use to get you to tell a secret, for instance…