The DNS Debacle In Poetic Review
Update: Check it out! Leo Laporte and Steve Gibson read my poem on their Security Now podcast. Thanks for the radio voice, Leo!
—
A few months ago
Kaminsky discovered a flaw.
It was with DNS,
It was nasty and raw
He decided than rather
to disclose all at once
he’d instead only tell people
who’d fix it in monthsSo some meetings were had
and work soon began
vendors wrote patches
coordinated by DanFast forward some time
out the closet it came
some researcher types
got into the gameDan’s rules were quite simple,
that in 30 days
he’d present during Blackhat
and we’ll all be amazedA bunch of big egos
called Dan on a bluff
said his vuln was a copy
of 10 year old stuffSo Dan swore them on handshakes
and details were provided
and those same cocky claims
soon all but subsidedIt seems that Dan’s warnings
weren’t baseless at all
Said the same skeptical hackers
"the risk isn’t that small!"So Blackhat was nearing
the web didn’t break
then out came a theory
from our friend Halvar FlakeNo sooner had he posted
and described the vuln’s guts
than Matasano’s blog surfaced,
kicked the web in the nutsIt said "Halvar’s right!"
we’ll no longer keep quiet.
The post’s ripple effect
caused a nasty ‘net riot
The blog quickly was pulled
but the cat’s out of the bag
the arms race began
since there’s no longer a gag
Meanwhile the issues of honor and trust
rehashed the debate
of when disclosure goes bustSo Dan’s days of thirty
we never did see
thirteen is OK
but I issue this pleaWhen researchers consider
how to disclose and thus when
will you think of the users?
How it might affect them?This ego-fueled rush
to put your name on a vuln
has a much bigger impact
than you might have knownIf the point here is really
to secure and protect
then consider what image
you really projectIn this case the vuln.
is now in the wild
an exploit is coming
DNS soon defiledThe arms race has started
and the clock now is ticking
If you haven’t yet patched
you’ll soon take a lickingI’m not taking sides really
on the disclosure debate
but rather the topic
of patch early or lateWhat good is disclosure
if the world couldn’t cope
with the resultant attacks
if we’ve all got just hope?
There’s two sides to this issue
both deserve merit
but Dan’s rep has been smeared
I say let’s just clear it
—
Happy patching everyone! ;(
/Hoff
Very nice. Now all we need is illustrations to put it into "Little Golden Book" children's book format 🙂
Genius! Would've sent that compliment via Twitter but… fail whale.
LOL. That's good one 😉
Well said 🙂
I nominate you for a new Pwnie Award… best Security related poem.
-Nate
Bravo! How do we commission a "Twas the Night Before Black Hat" version? 🙂
@Crystal…
Easy:
1) Rocks glass
2) 2 Ice cubes
3) 23yr old Pappy Van Winkle
…the beauty is, I happen to have all three. 😉
Hoff, you deserve a t-shirt for this: http://www.bustedtees.com/hassle
Obviously pissed at the entire circus with the DNS…
I must admit that the entire sharade reminded me of a circus between Zibri and George Hotz with the unlock of iPhone 1.2 OS – both were secretive and hiding the solution for a month to prove a better hero at the end.
Spirovski Bozidar http://www.shortinfosec.net
McGonagall lives!
DNS – Poetic Review of the mess
The best review of the whole DNS mess is probably the poetic one written by Hoff Rambling over at Rational