United, Internet Users Stand; Divided, We End up at Phony Sites

Weinschenk How did this differ from other vulnerabilities?Kaminsky This is an extreme case of what we normally have to deal with. Usually it is constrained to a single vendor, with individual implications. [Alleviating the problem] involves contacting vendors, making sure they understand the flaw and working with a patch release. This particular vulnerability was different. I recognized the flaw. This is a design flaw that tends to exist not just in a particular implementation, but happens over and over. Usually, you find a bug, work with the vendor, release a patch and an advisory. This one had huge implications. It could spread a lot and involved a lot of people who do not usually necessarily work together.Weinschenk What did you do when you found it?Kaminsky I contacted all the parties and said we’ve got a problem here. Paul Vixie from IS Consortium was particularly helpful. BIND is the largest Internet name server and Paul was the maintainer of BIND for a decade, probably longer than that. Paul has worked with DNS for decades, so together we basically pulled together engineers from across the industry because we realized an issue of this scale is straightforward and universal. [The security industry] took an unusual step. We flew in for a DNS summit to close on what to do here. Microsoft was very gracious and offered to be host. People were flying in from Europe, California, the East Coast.Weinschenk Specifically, what did the meeting look at?Kaminsky We had three goals. One was to understand the problem. The second was to determine what the best solution would be, what protects the most customers. Finally, when do we do this? Do we get the patch out as it is ready [for each vendor] or do a synchronized release? That has not happened before. There was always lot of talk about cooperation. I could actually report now the industry has done it here. This approach is a model of engineers in a room with no boundaries trying to find out what works and helps protect people.Weinschenk So it was successful.Kaminsky So we basically agreed on March 31 to come out with a synchronized release over the next couple of months. We kept each other appraised and made it happen. Now it is July 9 and there are patches for IOS, for Windows and [for other operating systems].Weinschenk That seems to speak to the fact that the industry understands that it has to work for the common good. Is that so?Kaminsky A number of us already knew each other. Those who didn’t also had the common goal to protect customers. You cannot eliminate human factors, especially in any shared project such as a synchronized DNS fix, even a non-synchronized one. It is interesting, the degree to which, at the end of the day, fixing bugs is collaboration between the finder and fixer. If the two are not on same page [it doesn’t work].Weinschenk In a broader context, it seems that online code is unique in that there potentially are universal problems. If my car has a brake problem, it is specific to that make. Also, if a massive problem occurs, it affects everybody – even those who don’t have the problem – by taking down the entire system.Kaminsky Physical stuff will kill you. The chair you are sitting on, an apple, the printer, the printer paper. Physical stuff is good at killing people. For physical stuff, you have something called strict liability. If anything goes wrong, the manufacturer has to pay.On the other side, ideas that are written will not kill you. A holiday buddy movie — no matter how bad the script — you are not going to die from. And then there’s software: Software tends not to kill people, though there are exceptions. More people are killed by crashing windows than Windows crashing. Software does not have strict liability. If it did have strict liability, I don’t know what decade a piece of software would be released, but it wouldn’t be this one. Since it won’t kill people, it can be engineered to far less tolerances than physical things.Weinschenk But a lot is riding on software, even if it is physically unable to kill you.Kaminsky While no one dies, people can lose all their money. People can be harmed. The normal systems we have at a societal level don’t really apply unless we move to a liability model, which would destroy innovation. We need to differentiate secure from insecure code, and that requires independent verifying, so that the market rewards secure code and punishes insecure code. That is what an independent security world supplies.Weinschenk How does this conceptual framework affect the real world?Kaminsky A vulnerability is found, a patch is released and there is real-world pressure not to [release code with that problem] again. There are many reasons for that. At the end of the day, the researcher tends to win because people want to know what is safe and what is not. The bottom line is that responsible disclosure creates information that the market has a genuine desire for — to differentiate secure from insecure code.Weinschenk What do you think of for-profit markets for vulnerabilities, such as WabiSabiLabi?Kaminsky I won’t comment on them. But ZDI – the Zero Day Initiative – is a good thing. Managing the life cycle of a vulnerability is a good thing. The researcher gets paid, the vendor gets the bug and everyone is happy. ZDI is an excellent thing to exist. It is a legitimate outlet for this research. There’s nothing wrong with selling an exploit that is given to the vendor and ultimately has to be given to the vendor freely. It’s something of a safe harbor.Weinschenk So what’s the biggest takeaway from the DNS vulnerability that culminated last week?Kaminsky I like to say it’s an interesting bug, but interesting bugs happen. The real story is that all the competing interests worked together to do something to protect customers. Getting best practices distributed more widely than before is something to be proud of. There is going to be a next step for this group. Where we go form here is going to be fascinating to watch.