Wired's Danger Room has a good interview with Dan Kaminsky, whose DNS hack has been burning up the wires. Dan figured out a means of disrupting the entire Internet by poisoning DNS. The exploit's existence and scope have been hotly debated ever since, and it all came to a head when details of the exploit leaked:
Well you know, there were people who said, Dan, I wish I could patch but I don't know the bug and I can't get the resources I need to patch it. Well you know the bug now.
You know, Verizon Business has a blog entry where they say that the greatest short-term risk from patching DNS was from the patch itself, from changing such a core and essential element to their systems. I know this. I was a network engineer before I was a security engineer. So that's why we took such extraordinary lengths to try to get people as much time as possible (to patch their systems). There's just a lot of complexity in doing something on this scale. This is something I think a lot of people don't realize. It was difficult to get the patches even written, let alone get them all released on a single day.
But let me tell you, the complete lack of whining from the (DNS software) vendors . . . if I could have gotten as little whining from the security (professionals) . . . no I'm not going to say that. It's so tempting! I'm simply going to say this in positive terms. I wish everybody could be as cooperative and understanding and as helpful as Microsoft and ISC (the Internet Systems Consortium) and Cisco and everyone else was who worked so hard to get customers what they needed to protect our networks.
