"Two weeks ago, when security researcher Dan Kaminsky announced a
devastating flaw in the internet's address lookup system, he took the
unusual step of admonishing his peers not to publicly speculate on the
specifics. The concern, he said, was that online discussions about how
the vulnerability worked could teach black hat hackers how to exploit
it before overlords of the domain name system had a chance to fix it.
That hasn't stopped researcher Halvar Flake from posting a
hypothesis that several researchers say is highly plausible. It
describes a simple method for tampering with DNS name servers that get
queried when a user tries to visit a specific website. As a result,
attackers would redirect someone trying to visit a site such as
bankofamerica.com to an impostor site that steals their credentials."
The Register
Halvar's guess is located at http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html
Reading more
"It would also demonstrate the difficulty researchers like Kaminsky
face in trying to keep the specifics of a vulnerability quiet. While
Flake is highly respected in security circles, he admits his knowledge
of DNS is limited. He had to spend time reading a "DNS-for-dummies"
text to get up to speed.
If a few weeks was enough for him to come up with an attack
scenario, plenty of less scrupulous hackers almost certainly will be
able to do the same thing, calling into question whether it's realistic
to limit vulnerability disclosure in the way Kaminsky has proposed.
"It's the universal opinion of the research community that
it's not a reasonable request," said Thomas Ptacek, a researcher at
Matasano who is critical of the admonition against other researchers publicly discussing the flaw.
Ptacek and several other researchers have received a briefing from
Kaminsky in exchange for a promise not to discuss it publicly, a
condition he says is perfectly OK." TheReg
Shortly after Halvar's posting Matasano Chargen's Tomas Ptacek (the guy quoted above by theregister) leaks the details to his
site then removed it shortly after as discussed at http://it.slashdot.org/article.pl?sid=08/07/21/2212227. Luckily a friendly slashdot viewer mirrored this post at http://darkoz.com/?p=1.
I guess Thomas (having violated the trust of someone he knows) felt bad for disclosing Dan's researcha fter Dan asked him not to
that he posted a response to leaking the vuln details (http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/. If you enjoy security drama/theater I'd suggest reading the replies.
TheRegister Entry: http://www.theregister.co.uk/2008/07/21/dns_flaw_speculation/
