The vulnerability is real, and the risk is high. Patch your stuff.

I'm currently sitting in on the Dan Kaminsky Blackhat Webinar. There was not a whole lot of interesting technical details revealed that aren't already public facing. The majority of the discussion was begging and pleading people to implement the patches for this problem.

Dan made a point to state that the leak of the vulnerability details is not an issue at this point. Instead, rightfully so, focusing the discussion on getting the world to patch.

What's my take on it?

One thing that the entire debacle reinforces is that responsible disclosure does work (to a degree). The major issue with the process as executed was that too much self promotion, by many different hands, was involved thus causing other researchers to jump all over it and eventually leak the details to the world. The circle was made too big with no accountability for people who didn't keep things secret. When money is involved nothing will be kept secret. All a researcher can do is his/her best to get things secure before releasing the details of the vulnerability to the general public. Dan did what he could and I applaud him for for the good faith effort that he made.

Would it have been safer to just have Dan K suck it up and let people think he was full of crap instead of bringing in a trusted circle of researchers to confirm his findings? Possibly.

Would people have patched without having additional third party independent researchers confirm Dan's findings? Possibly Not.

Would full disclosure have made the Internet more secure at a faster rate? Absolutely not.

In a future blog post we'll debate the validity of weaponizing this vulnerabaility within days of disclosure. Was this good, bad, or indifferent? Criminal? Good for the world? What are you thoughts?