How One Guy Saved The Internet

Ken AshfordScience & TechnologyLeave a Comment

Interesting story in Wired about 26-year-old computer consultant named Dan Kaminsky.  The slightly overweight balding geek found a flaw in the Internet's DNS (Domain Naming System).  The DNS is the internet-wide protocol which translates readable website text (like www.cnn.com) into machine-accessible addresses like 208.67.108.220.

The article describes the point at which Kaminsky discovered the security hole:

This was far more serious than anything he could have imagined. It was the ultimate hack. He was looking at an error coded into the heart of the Internet's infrastructure. This was not a security hole in Windows or a software bug in a Cisco router. This would allow him to reassign any Web address, reroute anyone's email, take over banking sites, or simply scramble the entire global system.

The DNS has been part of the internet architecture since 1983, and gets tweaked every year.  But this "hole" in the coding had been around since the very beginning of the DNS.  And Kaminsky discovered it only this year.  What could he do?

The vulnerability gave him the power to transfer millions out of bank accounts worldwide. He lived in a barren one-bedroom apartment and owned almost nothing. He rented the bed he was lying on as well as the couch and table in the living room. The walls were bare. His refrigerator generally contained little more than a few forgotten slices of processed cheese and a couple of Rockstar energy drinks. Maybe it was time to upgrade his lifestyle.

Or, for the sheer geeky joy of it, he could reroute all of .com into his laptop, the digital equivalent of channeling the Mississippi into a bathtub.

Or he could have done this:

Most Internet commerce transactions are encrypted. The encryption is provided by companies like VeriSign. Online vendors visit the VeriSign site and buy the encryption; customers can then be confident that their transactions are secure.

But not anymore. Kaminsky's exploit would allow an attacker to redirect VeriSign's Web traffic to an exact functioning replica of the VeriSign site. The hacker could then offer his own encryption, which, of course, he could unlock later. Unsuspecting vendors would install the encryption and think themselves safe and ready for business. A cornerstone of secure Internet communication was in danger of being destroyed.

Fortunately, rather than playing a prank or taking over bank sites, Kaminsky called the appropriate people, and on July 8 — for the first time ever — a worldwide "patch" to the Internet developed by Nominum, Microsoft, Cisco, Sun Microsystems, Ubuntu, and Red Hat, among many others, was released.  (The patch applies to servers, not to individual computers).

The full story in the article is more interesting.  A lot of cloak-and-dagger stuff, as programmers and computer security experts tried to communicate with each other about this security hole, without letting the secret of the hack get out.

Sadly the "Kaminsky Hack" was leaked, and the Internet was vulnerable.  But by then, the patch was out.  And by mid-August, hundreds of millions of Internet users were protected.

And you didn't know this was going on…..