- Black Hat and/or Def Con should not be the place where "all is revealed." The gravity of the situation (such as it might be) is nullified by what will undoubtedly be a circus. Disclosure of additional details should have been done by a neutral party with no commercial interests. Black Hat and/or Def Con would have made great post-disclosure locations, where Dan explains how he found the vulnerability, along with "the rest of the story." That would have still made a great talk, with plenty of worthwhile attention.
- Personal blog posts should be avoided. The disclosure process should have been run exclusively through a group with some nominal "Internet security legitimacy," like CERT-CC and the affiliated US-CERT. Any questions on the issue should have been referred to them.
- The person discovering the issue should not have asked us to avoid speculation, while issuing a challenge, e.g.:
I want you to explore DNS. I want you to try to build off the same bugs I did to figure out what could possibly go wrong. Maybe I missed something — I want you to help me find out if I did, so we can deal with it now instead of later...
While I’m out there, trying to get all these bugs scrubbed — old and new — please, keep the speculation off the @public forums and IRC channels. We’re a curious lot, and we want to know how things break. But the public needs at least a chance to deploy this fix, and from a blatantly selfish perspective, I’d kind of like my thunder not to be completely stolen in Vegas :)
Now, if you do figure it out, and tell me privately, you’re coming on stage with me at Defcon. So I can at least offer that.
This essentially says "if you're clever enough to figure this problem out, tell me and join me in the circus."
I think it's remarkable that, despite all the brainpower behind the preparation for these announcements, the DNS behind NAT problem first noticed by imipak was missed. If no speculation or discussion of the issue had taken place, how would that problem have been addressed?
There's no easy answer to the fundamental question, but it's fair to ask really what is at stake here. Right now, hundreds of thousands, perhaps millions, of innocent users have unwanted intruders controlling their PCs. That is a realized problem. It is not theoretical. It is not pending. Why is there not a crash program to help those people?
Consider the issue from another angle. Anyone with military experience knows there are procedures in place for dealing with real catastrophes. Absolutely nothing about the current situation has raised any official notice outside of our community. Are there any warnings on CNN? The SANS Internet Threat Level (take it with a grain of salt) is even still green.
This does not diminish the amount of work done by Dan, the vendors, and other parties to fix this issue. It's all for the better to have more robust infrastructure in place. At the very least this situation has raised the question of how vulnerabilities in critical infrastructure should be addressed in the future.