This seems to be pretty basic and obvious, but a the first rule about keeping a secret is don’t tell people. Frankly, I think Dan should be pretty happy that the details about the DNS vulnerability he discovered took this long to emerge publicly. As he pointed out, 13 days are better then zero.
Of course, if Halvar (someone who didn’t know the details about DNS) could figure this out in just under two weeks in his spare time, it seems pretty obvious to me that someone with a financial interest and some decent DNS knowledge could figure this out in much less time (definitely under a week) and start exploiting it. It would surprise me if someone HASN’T been exploiting this for the last week or so. Hence, I’ve got to wonder if this process really has made us all any safer, since many administrators believing they had a month to patch haven’t patched yet and are now freaking out and running around trying to patch all their DNS servers.
Paul Vixie’s argument that people shouldn’t publicly discuss the technical aspects of issue is just silly for a simple reason- the bad guys are smart enough to figure this out by themselves. Allowing the good guys to work on the issue at least gives us a reasonable guess of how well the bad guys are doing.
Clearly, anyone who thought this secret would survive until Dan gave his Blackhat presentation was living in a state of denial. Hopefully, people will look back on this incident, learn from it and then not make the same mistakes twice (yes, I’m looking at you Tom). Honestly, I think Dan did a good job trying to manage the issue in a responsible way, but I’d argue that the month long delay between announcing the patches and the details of the vulnerability did more harm then good.
What’s a better solution? Give everyone 7 days to patch instead of giving the false sense of security that you’ve got a month to update. That way if someone figures out the technical details earlier, at least people knew it was coming “soon”. Will people still bitch and complain that 7 days is too long/short? You betcha.
Update 7/23/08:
Looks like I was correct that someone could deduce the problem in “under a week”. Dan Kaminsky stated in this interview on Wired that it took only “a couple of days” before someone had figured out the flaw on their own.