Internet bug fix spawns backlash from hackers

Kaminsky, who is director of penetration testing with security vendor IOActive, said that he was "vaguely surprised" by some of the negative reaction, but that this kind of skepticism was vital to the hacker community. "I'm breaking the rules," he admitted. "There's not enough information in the advisory to figure out the attack and I'm bragging about it."

According to DNS expert Paul Vixie, one of the few people who has been given a detailed briefing on Kaminsky's finding, it is different from the issue reported three years ago by SANS. While Kaminsky's flaw is in the same area, "it's a different problem," said Vixie, who is president of the Internet Systems Consortium, the maker of the most widely used DNS server software on the Internet.

The issue is urgent and should be patched immediately, said David Dagon, a DNS researcher at Georgia Tech who was also briefed on the bug. "With sparse details, a few have questioned whether Dan Kaminsky had repackaged older work in DNS attacks," he said in an e-mail interview. "It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."

By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."

Kaminsky's remaining critics will have to wait until his Aug. 7 Black Hat presentation to know for sure, however.

The security researcher said he hopes that they show up for his talk. "If I do not have the exploit," he said. "I deserve every single piece of anger and distrust."