Home > Poetry > The DNS Debacle In Poetic Review

The DNS Debacle In Poetic Review

Update: Check it out!  Leo Laporte and Steve Gibson read my poem on their Security Now podcast.  Thanks for the radio voice, Leo!

A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw

He decided than rather
to disclose all at once
he’d instead only tell people
who’d fix it in months

So some meetings were had
and work soon began
vendors wrote patches
coordinated by Dan

Fast forward some time
out the closet it came
some researcher types
got into the game

Dan’s rules were quite simple,
that in 30 days
he’d present during Blackhat
and we’ll all be amazed

A bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuff

So Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsided

It seems that Dan’s warnings
weren’t baseless at all
Said the same skeptical hackers
"the risk isn’t that small!"

So Blackhat was nearing
the web didn’t break
then out came a theory
from our friend Halvar Flake

No sooner had he posted
and described the vuln’s guts
than Matasano’s blog surfaced,
kicked the web in the nuts

It said "Halvar’s right!"
we’ll no longer keep quiet.
The post’s ripple effect
caused a nasty ‘net riot

The blog quickly was pulled
but the cat’s out of the bag
the arms race began
since there’s no longer a gag

Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bust

So Dan’s days of thirty
we never did see
thirteen is OK
but I issue this plea

When researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?

This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have known

If the point here is really
to secure and protect
then consider what image
you really project

In this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiled

The arms race has started
and the clock now is ticking
If you haven’t yet patched
you’ll soon take a licking

I’m not taking sides really
on the disclosure debate
but rather the topic
of patch early or late

What good is disclosure
if the world couldn’t cope
with the resultant attacks
if we’ve all got just hope?

There’s two sides to this issue
both deserve merit
but Dan’s rep has been smeared
I say let’s just clear it

Happy patching everyone! ;(

/Hoff

Categories: Poetry Tags:
  1. July 22nd, 2008 at 20:41 | #1

    Very nice. Now all we need is illustrations to put it into "Little Golden Book" children's book format 🙂

  2. July 22nd, 2008 at 21:20 | #2

    Genius! Would've sent that compliment via Twitter but… fail whale.

  3. July 23rd, 2008 at 03:26 | #3

    LOL. That's good one 😉

  4. July 23rd, 2008 at 06:45 | #4

    Well said 🙂

  5. July 23rd, 2008 at 07:23 | #5

    I nominate you for a new Pwnie Award… best Security related poem.
    -Nate

  6. July 23rd, 2008 at 17:26 | #6

    Bravo! How do we commission a "Twas the Night Before Black Hat" version? 🙂

  7. July 23rd, 2008 at 22:24 | #7

    @Crystal…
    Easy:
    1) Rocks glass
    2) 2 Ice cubes
    3) 23yr old Pappy Van Winkle
    …the beauty is, I happen to have all three. 😉

  8. July 23rd, 2008 at 23:51 | #8

    Hoff, you deserve a t-shirt for this: http://www.bustedtees.com/hassle

  9. July 24th, 2008 at 08:13 | #9

    Obviously pissed at the entire circus with the DNS…
    I must admit that the entire sharade reminded me of a circus between Zibri and George Hotz with the unlock of iPhone 1.2 OS – both were secretive and hiding the solution for a month to prove a better hero at the end.
    Spirovski Bozidar http://www.shortinfosec.net

  10. August 1st, 2008 at 05:00 | #10

    McGonagall lives!

  11. August 28th, 2008 at 01:18 | #11

    DNS – Poetic Review of the mess

    The best review of the whole DNS mess is probably the poetic one written by Hoff Rambling over at Rational

  1. No trackbacks yet.