Kaminsky Advocates Execution at RSA 2010

by Dana Tierney, Senior Editor

What the internet needs is for a few guys to get shot. Or at least arrested.

What was especially interesting about Dan Kaminsky's comment was that the other people on the podium nodded.

The spam that is drowning the world's mail servers overwhelmingly originates with one of perhaps a hundred individuals with known identities, yet they generally operate with impunity, said the researcher famous for finding 2008's DNS cache poisoning vulnerability, director of penetration testing at IOActive. Unlike theft, extortion or attack in the physical world, in the cyber arena victims generally suffer from a perception that attacks represent defense failures, he added.

Therefore, he said, breaches do not get reported, and information does not get shared. "We need better data on criminal activity impacting legitimate businesses," the highly quotable Kaminsky said at the 2010 RSA Conference, in a panel session entitled "The End of the Internet as We Know It? Separating Reality From the Hype".

Moderator Dmitri Alperovitch, Vice President of Threat Research at McAfee, Inc, had a similar comment about recent attacks on Google, Adobe and other large technology companies. Many of them have not yet determined whether they have a mandate to disclose the attack, or whether they should anyway.

The panel reached a consensus that the information technology community doesn't lack information about threats — but it rarely gets good, actionable information about those threats. "There's nothing for anyone to do but be afraid," commented Tom Cross, manager of the X-Force at IBM about most news. Coverage of vulnerabilities in the mainstream press oscillates between apocalyptic and dismissive, with neither entirely accurate. "The heart of risk management is identifying whether you should assign resources," he said.

Similarly, a threat which does not "the end of the internet as we know it" — an over-used phrase with 43,400 hits on Google — can still require attention and may still need remediation.

"I'd like to see it patched," Christopher Lee, a researcher at Shadowserver, said mildly when Alperovitch asked him whether Conficker was hype or not. Millions of computers remain infected, and the numbers continue to rise. The only dip in activity so far came at Christmas, he said, probably because many people received new computers as gifts.

However, the breathless scaremongering that surrounded speculation about what exactly those millions of computers would get up to misrepresented both the situation and the expectations of researchers, he said: "No one was saying it was going to be Doomsday on April 1st."

Sven Krasser, McAfee's Senior Director of Data Mining Research, characterized the recent demonstration of SSL vulnerabilities as mostly hype, except as a "fundamental breakage of the user's trust." A paper at the 2009 Black Hat conference illustrated MD5 vulnerabilities and problems with certificate authorities. This, the panel agreed, was another example of a situation where "the world is not coming to an end, but there's a problem."

So few breaches receive publicity not because breaches do not occur, said Kaminsky, but because of "predator satiation." So many vulnerabilities exist that internet criminal can pick the easiest to exploit. The most lucrative in many ways, said Cross, often is the "continuous stream of browser vulnerabilities."

Dana Tierney is the Senior Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie