Kevin Sites in the Hot Zone - Chapter 15: Coming HomeIn this final chapter of "A World of Conflict," Kevin Sites returns home to the U.S., only to confirm what he suspected -- that in the year that he was gone little had changed.

Kevin Sites in the Hot Zone - Chapter 14: Israel-Hezbollah WarThe war between Israel and Hezbollah shook the landscape in the Middle East.

Kevin Sites in the Hot Zone - Chapter 13: Sri LankaKevin Sites covered Sri Lanka as violence erupted between the government and Tamil Tiger rebels, pushing a nation with so much to lose back to the brink of all-out war. In rebel-held territory Sites interviewed Tiger fighters about their tactics and reported on the many effects of war still seen in the region.

Kevin Sites in the Hot Zone - Chapter 12: Nepal and KashmirKevin Sites covered Nepal during a time of sweeping political change that followed mass nationwide protests, forcing the autocratic King to cede power.

Kevin Sites in the Hot Zone - Chapter 11: Child BrideIn Afghanistan, Kevin Sites met a 12-year-old girl named Gulsoma, whose incredible story of resilience resonated with millions of people worldwide. She was only six years old when she was sold to a neighbor family in Kandahar as a child bride.

Kevin Sites in the Hot Zone - Chapter 10: AfghanistanReporting from Afghanistan in spring 2006, more than four years after the U.S.-led coalition ousted the Taliban, Kevin Sites found that war is not over in the country.

Kevin Sites in the Hot Zone - Chapter Nine: ChechnyaIn Chechnya during the winter of 2005-2006, Kevin Sites reported on a region still reeling from lingering conflict between Russia and Islamic separatists. The conflict engulfed Chechnya in the 1990s, and even now, half of the population is yet to return. Those that have eke out a living amid the rubble.

Kevin Sites in the Hot Zone - Chapter Eight: Iran

Kevin Sites in the Hot Zone - Chapter Seven: IsraelIn Israel, Kevin Sites interviewed Kinneret Boosany, a victim of a suicide bombing at a Tel Aviv cafe in 2002.

Despite the best efforts of the security community, the details of a critical internet vulnerability discovered by Dan Kaminsky about six months ago have leaked. Hackers are racing to produce exploit code, and network operators who haven't already patched the hole are scrambling to catch up. The whole mess is a good illustration of the problems with researching and disclosing flaws like this.

The details of the vulnerability aren't important, but basically it's a form of DNS cache poisoning. The DNS system is what translates domain names people understand, like www.schneier.com, to IP addresses computers understand: 204.11.246.1. There is a whole family of vulnerabilities where the DNS system on your computer is fooled into thinking that the IP address for www.badsite.com is really the IP address for www.goodsite.com -- there's no way for you to tell the difference -- and that allows the criminals at www.badsite.com to trick you into doing all sorts of things, like giving up your bank account details. Kaminsky discovered a particularly nasty variant of this cache-poisoning attack.

Here's the way the timeline was supposed to work: Kaminsky discovered the vulnerability about six months ago, and quietly worked with vendors to patch it. (There's a fairly straightforward fix, although the implementation nuances are complicated.) Of course, this meant describing the vulnerability to them; why would companies like Microsoft and Cisco believe him otherwise? On July 8, he held a press conference to announce the vulnerability -- but not the details -- and reveal that a patch was available from a long list of vendors. We would all have a month to patch, and Kaminsky would release details of the vulnerability at the BlackHat conference early next month.

Of course, the details leaked. How isn't important; it could have leaked a zillion different ways. Too many people knew about it for it to remain secret. Others who knew the general idea were too smart not to speculate on the details. I'm kind of amazed the details remained secret for this long; undoubtedly it had leaked into the underground community before the public leak two days ago. So now everyone who back-burnered the problem is rushing to patch, while the hacker community is racing to produce working exploits.

What's the moral here? It's easy to condemn Kaminsky: If he had shut up about the problem, we wouldn't be in this mess. But that's just wrong. Kaminsky found the vulnerability by accident. There's no reason to believe he was the first one to find it, and it's ridiculous to believe he would be the last. Don't shoot the messenger. The problem is with the DNS protocol; it's insecure.

The real lesson is that the patch treadmill doesn't work, and it hasn't for years. This cycle of finding security holes and rushing to patch them before the bad guys exploit those vulnerabilities is expensive, inefficient and incomplete. We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design. This process won't prevent every vulnerability, but it's much more secure -- and cheaper -- than the patch treadmill we're all on now.

What a security engineer brings to the problem is a particular mindset. He thinks about systems from a security perspective. It's not that he discovers all possible attacks before the bad guys do; it's more that he anticipates potential types of attacks, and defends against them even if he doesn't know their details. I see this all the time in good cryptographic designs. It's over-engineering based on intuition, but if the security engineer has good intuition, it generally works.

Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

That's what a good design looks like. It's not just secure against known attacks; it's also secure against unknown attacks. We need more of this, not just on the internet but in voting machines, ID cards, transportation payment cards ... everywhere. Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.