Being his usual humble self, Halvar casually discovers what I think is Dan Kaminsky’s DNS flaw. The Register has a story that quotes me on this. While I’m not certain it is the same attack, I’m moderately confident it is.
Note that neither Halvar nor I was part of the secret briefing Dan gave to researchers. I didn’t receive that inside information and believe Halvar didn’t either. This reinforces the perspective that information about a bug should be revealed quickly, given the likelihood that another party might rediscover it. It’s possible a black hat hacker even beat Halvar, even though he’s very smart.
The debate about full or partial disclosure is really all about control. In this case, the information about the patch (randomize source port and double check the randomization on TXID) was enough to independently rediscover the attack. Even though there is not a direct connection between the attack and the patch, knowing that it was possible was enough. Once the information was out there, Dan and the vendors had given up control.
So, patch your servers and back to business as usual…