14 DAY TRIAL // For the past week or so, Dan Kaminsky and the DNS (Domain Name System) flaw that he discovered have made the headlights of numerous online publications. Although specific, technical details about the flaw have yet to be disclosed, the IT industry assures us that the 8th of July patch has solved the problem. Founder and CTO of Codenomicon, company that specializes in providing security testing software, Ari Takanen does not agree.
Does anyone remember the SNAPv1 (Simple Network Management Protocol version 1) flaw that came to light back in 2002? The DNS and SNAP flaws both address fundamental issues in regard to the Internet, and they have much more in common than you might think.
"Our SNMP case was secret for nine months after reporting it to relevant vendors, and as far as I know it involved more than 100 vendors and other organizations (1,000+ people). We saw all possible attempts to disclose it, but even public disclosure lists appreciated the stand that CERT-US chose to take," says Takanen as cited by CNet.
Ari Takanen?s affirmations came in response to an article published by Robert Vamosi, in which he stated that never before a flaw with such a major impact has been discovered. Several industry heavyweights studied the problem for a period of six months and then issued a fix simultaneously.
The interesting thing is that, to this day, Codenomicon still detects the six-year-old flaw, despite the general belief that all vulnerable systems have been patched. Although the flaw received so much media coverage in 2002, there are still systems out there that are vulnerable to this now ancient flaw.
"This just proves that reporting individual bugs for fame and fortune does not motivate the vendors to improve their quality assurance processes," says Ari Takanen, who strongly believes against disclosing security flaws before a fix is issued.