Now that the dust has settled, I call shenanigans all around

So, I’m sure you heard about the Super-duper tip-top secret DNS Cache Poisoning issue? In case you haven’t, here’s a quick synopsis of backstory. For the TLDR (“too long, didn’t read”) crowd, a synopsis of the synopsis is:

- Researcher finds a big bug in DNS
- Because it’s so incredibly huge, non-essential peeps were kept in the dark for 6 months
- The supreme largitude of the patches to be released brought on dead silence for 30 days
- The silence was lifted at BlackHat where the technical details were revealed onstage

Now, throughout this whole episode, people were all kinds of pissed off because the researcher in question didn’t go the whole full disclosure route and just ante up what the issue is. Other people were pissed off because of the pressure to go public. Seems like too many people in a huff.

Personally, I’m a fan of natural selection, so I tend to agree with the folks that say that holding back the information was bogus. What do I mean by natural selection? I mean – if product A can’t release a patch to address a security issue in a reasonable timeframe, folks should know about that. If that means that they’re unprotected against some issue for a few days, maybe that’s a small risk by comparison. Small compared to what, you ask? Well – simply put – compared to the risk of keeping the bug on the down low while everybody fixes it. Here’s why…

Say, hypothetically, you have a known bug that you’re keeping quiet for a year (or 7 months if you want to get all literal about it). How many people do you think know about that bug during that time? The developers? Well, they’d have to know right. In a multiple-vendor alert like this one, you’re talking about most of the developer population for all the products that are impacted. Could be a pretty big audience. The security architects at these vendors? Absolutely. Management? Of course. Technical writers? Sure, somebody’s got to write the alert.

Do you think that out of all these people, somebody’s not going to let the goods out to someone? It seems inevitable to me. Plus, don’t forget about human nature. If you tell someone something is super-secret, doesn’t that make it all the more compelling for them to tell their friends? Absolutely. So the theory that people are going to keep it under their hat is ridiculous. In reality, there will be people with the data. I guarantee it. So, probably disclosing the details is a good thing.

In this case, I don’t think that anybody was motivated by anything untoward. I don’t think it was all about “hacking the press” as some people seem to suggest. Instead, I really think the secrecy was an attempt to do something good and keep people safe. Good intentions. However, I think it probably could have been handled better. Personally, I probably would have gone through CERT since they seem to be pretty good at this kind of thing. But hey, that’s just me, and it’s easy to armchair quarterback