A short while back we were reporting on a DNS flaw discovered
by Dan Kaminsky, and which has since then been patched by the industry. The thing is that after unveiling this vulnerability, he met with industry representatives from the 16 major IT companies that manufacture DNS software and shed some light on the situation, but he never released that info to the general public. Security pros all over the world are curios to know its exact technical details.
Dan Kaminsky has informed us that he plans to make everything public at the Black Hat security conference next month. He is also asking hackers and security pros to be patient until then and perhaps stop trying to acquire such info by means of hacking.
"I want you to explore DNS. I want you to try to build off the same bugs I did to figure out what could possibly go wrong. But I also want my family to be able to use the Internet in peace. I'm not asking for forever. I am asking about thirty days. I've done everything in my power to get the patches available, no matter the platform. But the code doesn't (always) install itself," says Dan Kaminsky on his blog
One of the quickest persons to reply to Kaminsky was Thomas Ptacek from Matasano Security: "The bug in DNS is that it has a 16-bit session ID. You can't deploy a new Web app with less than 128-bit session IDs. We've known about that fundamental problem since the '90s."
According to Sans Internet Storm Center, the DNS flaw discovered by Kaminsky has already been discovered in January 2005 by Ian Green. Although some claim the vulnerabilities are not the same, there is no way to be sure of that until Kaminsky releases the much awaited technical details.
He is not backing down and is not succumbing to the pressure the hacking community puts on him. According to him, this was bound to happen, but he is more than glad that there is "not enough information in the advisory to figure out the attack".