
The man who changed Internet security - nickb
http://news.cnet.com/8301-10789_3-9989292-57.html?hhTest=1
======
cperciva
I don't think this issue is quite as serious as Dan Kaminsky is making it
sound; but I'll say this for him: He's great at wrangling the media.

Is this bigger than past coordinated advisories? Maybe -- but not by much. A
major flaw in OpenSSL, OpenSSH, Sendmail, or IPv6 (e.g., the recent 'source
routing' issue) would all be just as "big" as this. Dan did exactly what any
responsible researcher would do -- nothing more.

~~~
nickb
It is. Both Thomas Ptacek and Dino Dai Zovi say they were wrong in thinking it
was not a big thing. Read this:

[http://blog.trailofbits.com/2008/07/09/dan-kaminsky-
disquali...](http://blog.trailofbits.com/2008/07/09/dan-kaminsky-disqualified-
from-most-overhyped-bug-pwnie/) [http://www.matasano.com/log/1093/patch-your-
non-djbdns-serve...](http://www.matasano.com/log/1093/patch-your-non-djbdns-
server-now-dan-was-right-i-was-wrong/)

~~~
cperciva
_Both Thomas Ptacek and Dino Dai Zovi say they were wrong in thinking it was
not a big thing._

Yes, I know. I was part of the pre-notified group.

To clarify: Ptacek and Dai Zovi were wrong in thinking that this attack is not
a big thing, and changed their mind when they heard more details. Having those
details, I agree that this is big -- just not as big as Kaminsky is making it
sound.

~~~
nickb
But were you told the details and you still think it's no big deal?

~~~
cperciva
Yes, I was told the details. I don't think it's "no big deal" -- I think it's
not _as big_ of a deal as Kaminsky makes it sound.

