Shouting ‘bug’ on a crowded Internet…

[As ever you can read this on the BBC News website, and it’s also on CircleID]

In the last few weeks we’ve seen two very different approaches to the full disclosure of security flaws in large-scale computer systems.

Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London’s Oyster card will soon be available to anyone with a laptop computer and a desire to break the law.

These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being resolved.  Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers.

When Dan Kaminsky discovered a major security flaw in DNS he kept it quiet.  DNS is the service that translates domain names like ‘www.bbc.co.uk’ into internet protocol addresses like 212.58.253.67 that can be used by computers, and the flaw he found affected almost every internet-connected computer because it could be used to fool our computers into believing IP addresses provided by malicious DNS servers.

As a result someone trying to visit the BBC website, their bank or a webmail account could be sent to a fake site without knowing it.

Instead of publicising what he had found Kaminsky told vendors like Microsoft and Sun and for the past few months they have been working on a co-ordinated solution that involves updates to much of the core software that makes the internet work.  The idea was that the problem would have been resolved before Kaminsky published details at the upcoming Black Hat security conference.

Unfortunately the plan has gone awry in the last few days  after another researcher, Halvar Flake, kicked off a discussion about the flaw that prompted Matasano Security to post full details on their own blog. That post has been taken down, but is of course around in the Google cache and the details have circulated widely. [NB this is a correction of the original, which said that “Halvar Flake, apparently pinpointed the details in a blog post of his own”- he has been in touch to point out that I posted a very vague *guess* on how the issue might work at
http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html
The guess is vague, and partially incorrect. A third party then released a full detailed article with all details on *their* blog, and pulled it shortly thereafter
. Sorry for the confusion]

As a result Kaminsky and others are advising any systems administrator who has not yet applied the update to their servers to patch them “Today.  Now. Yes, stay late.” It’s sound advice (and if you’re reading this but have unpatched DNS servers then stop now and go and fix your systems).

Kaminsky’s caution would seem to contrast starkly with the decision by Professor Bart Jacobs to publish details of the security vulnerabilities his research team has found in one of the world’s most popular contactless smartcards, the MIFARE Classic, which is used in  London’s Oyster card, because they remain unfixed.

After his team from Holland’s Radboud University announced that they planned to publish details of how to copy cards and change their contents at will the manufacturer, NXP Semiconductors, went to court and were granted a preliminary injunction forbidding publication.

Now a full hearing has overturned the injunction, so the papers will be released as planned, and we will soon now how to add extra money to the balance on our Oyster cards because of the poor security of the system.

However this is not a case of a maverick academic simply publishing without considering the economic or social impact. Jacobs told NXP about his findings in 2007, and even informed the Dutch government so that they could take steps to secure government buildings that used smartcards to control access, while the papers concerned won’t be published until October this year.

But instead of using the time to fix the problems NXP has tried to stop publication, arguing that necessary changes will take ‘up to a number of years’, and ignoring the fact that the necessary skills are probably already in the hands of criminal groups.

The DNS vendors did not head off to court to try to stop Kaminsky speaking at Black Hat, perhaps because DNS is not owned by anyone while NXP Semiconductors own MIFARE and make a lot of money out of it.
DNS is a community good, and we all benefit from its safe and reliable operation, while smartcards generally serve the interests of private companies or those wanting to manage our lives in various ways.

And because NXP was trying to protect its commercial interests rather than those of the wider community, it failed to get the injunction it wanted. The judge even noted that ‘Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings’, a remarkably sensible thing for a judge to say in a case about computer security.

So who is right? Dan Kaminsky for keeping things quiet, or Bart Jacobs for pushing ahead with publication? I think both are.

We can have general principles and decide to override them if circumstances allow, and indeed we do this in many areas of our daily lives so should not expect the politics of technology to be different.  Full disclosure is, in most situations and for most problems, the best way to ensure that those at risk can protect themselves and those responsible for flawed software have an incentive to fix it.

But sometimes, as with Dan Kaminsky’s discovery about DNS, a more cautious approach is called for. Kaminsky is not planning to keep his findings secret, but the public interest is best served by allowing those who provide DNS servers the time they need to ensure a smooth transition to updated versions instead of causing a panic.

NXP went to court to protect themselves from the painful reality that their chip is flawed, instead of doing all they could to resolve the problem, and as a result many of their users find themselves having to review their security procedures.

The similarities to arguments about free expression are not mere coincidence, of course.  Shouting ‘bug’ on a crowded internet is just as dangerous as shouting ‘fire’ in a crowded theatre, even in societies where free speech is valued and protected by law, and we should not assume that full disclosure is always the right way forward.

Bill’s Links
Check your DNS on Dan Kaminsky’s site
Oyster hack can be published (BBC):
The Times reports the hack in April:
And its publication:
MIFARE on Wikipedia:
NXP statement on the hack:
More security debate on Bugtraq:

One Reply to “Shouting ‘bug’ on a crowded Internet…”

  1. I am not a security researcher, and do not know any security researchers, but I can imagine if I was one I would want the whole world to know if I had discovered a new vulnerability, eventually. It would be quite a boring job to discover something and not gain credit for that discovery no matter what field you work in.

    In this instance the ‘heads up’ provided by both Dan Kaminsky & Professor Bart Jacobs should be applauded. They could easily have sold their respective discovery’s on the black market.

Comments are closed.