Despite the best efforts of the security community, the details of a critical internet vulnerability discovered by Dan Kaminsky about six months ago have leaked. Hackers are racing to produce exploit code, and network operators who haven't already patched the hole are scrambling to catch up. The whole mess is a good illustration of the problems with researching and disclosing flaws like this.

The details of the vulnerability aren't important, but basically it's a form of DNS cache poisoning. The DNS system is what translates domain names people understand, like www.schneier.com, to IP addresses computers understand: 204.11.246.1. There is a whole family of vulnerabilities where the DNS system on your computer is fooled into thinking that the IP address for www.badsite.com is really the IP address for www.goodsite.com -- there's no way for you to tell the difference -- and that allows the criminals at www.badsite.com to trick you into doing all sorts of things, like giving up your bank account details. Kaminsky discovered a particularly nasty variant of this cache-poisoning attack.

Here's the way the timeline was supposed to work: Kaminsky discovered the vulnerability about six months ago, and quietly worked with vendors to patch it. (There's a fairly straightforward fix, although the implementation nuances are complicated.) Of course, this meant describing the vulnerability to them; why would companies like Microsoft and Cisco believe him otherwise? On July 8, he held a press conference to announce the vulnerability -- but not the details -- and reveal that a patch was available from a long list of vendors. We would all have a month to patch, and Kaminsky would release details of the vulnerability at the BlackHat conference early next month.

Of course, the details leaked. How isn't important; it could have leaked a zillion different ways. Too many people knew about it for it to remain secret. Others who knew the general idea were too smart not to speculate on the details. I'm kind of amazed the details remained secret for this long; undoubtedly it had leaked into the underground community before the public leak two days ago. So now everyone who back-burnered the problem is rushing to patch, while the hacker community is racing to produce working exploits.

What's the moral here? It's easy to condemn Kaminsky: If he had shut up about the problem, we wouldn't be in this mess. But that's just wrong. Kaminsky found the vulnerability by accident. There's no reason to believe he was the first one to find it, and it's ridiculous to believe he would be the last. Don't shoot the messenger. The problem is with the DNS protocol; it's insecure.

The real lesson is that the patch treadmill doesn't work, and it hasn't for years. This cycle of finding security holes and rushing to patch them before the bad guys exploit those vulnerabilities is expensive, inefficient and incomplete. We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design. This process won't prevent every vulnerability, but it's much more secure -- and cheaper -- than the patch treadmill we're all on now.

What a security engineer brings to the problem is a particular mindset. He thinks about systems from a security perspective. It's not that he discovers all possible attacks before the bad guys do; it's more that he anticipates potential types of attacks, and defends against them even if he doesn't know their details. I see this all the time in good cryptographic designs. It's over-engineering based on intuition, but if the security engineer has good intuition, it generally works.

Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

That's what a good design looks like. It's not just secure against known attacks; it's also secure against unknown attacks. We need more of this, not just on the internet but in voting machines, ID cards, transportation payment cards ... everywhere. Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Four young political activists are syndicating their diary entries and impressions of Republican America across the web. The project is called Whereisthered.com.

San Francisco regains control of its network after the city admin who hijacked the system nine days ago turns over the stolen passwords to Mayor Gavin Newsom in a secret jailhouse meeting.

A San Francisco prosecutor told a judge that network admin Terry Childs rigged the city's network for "failure" if there was a power outage. A routine outage was scheduled for July 19 but was canceled out of caution. Childs' attorney called the accusation "spurious" and a judge declined to release Childs from jail.

The Pentagon's storied research and development arm turned 50 years old this year. Its birthday present from the Pentagon brass: another $100 million in budget cuts.

Six months ago, security researcher Dan Kaminsky was looking for a faster way to host data on the internet. What he found was the biggest internet security hole in a decade.

The details of a critical vulnerability in a core internet infrastructure have leaked onto the web, despite efforts to keep the information under wraps. The security researcher who found the hole the the Domain Name System is now urging everyone to fix the vulnerability before it's too late.

Computer security threats are constantly changing, but what madness will ensue when online criminals start developing a sense of humor?

Opening arguments get underway in Guantanamo Bay, Cuba, against Salim Ahmed Hamdan -- Osama bin Laden's driver -- in what is the first U.S. war crimes trial since World War II. But Hamdan faces a lifetime behind bars if convicted or acquitted. He's deemed an enemy combatant, which the Bush administration says means he can be held indefinitely.

A federal appeals court struck down yet again a law that would have required websites to verify all visitors' ages if any of its content wasn't suitable for minors. Tuesday's ruling from the 3rd U.S. Court of Appeals adds to a decade of losses for the government's attempt to regulate speech on the internet.