While it is clear that Dan Kaminsky did report a flaw without any method to verify or reproduce the flaw. I have to ask what exactly would others do in the same situation? I will only say this; if the flaw is in fact the same one that Thomas Ptacek claims related to the 16 bit session id and has been around for years. Then given time this too will be known and Dan Kaminsky is setting himself up for a rather unpleasant period. Though honestly there is nothing Dan Kaminsky has to gain by simply doing the right thing. Each of us are faced with these types of decisions in our lives! Piling on as a critic without any details seems totally unproductive.

According to DNS expert Paul Vixie, one of the few people who has been given a detailed briefing on Kaminsky's finding, the exploit is different from the issue reported three years ago by SANS. While Kaminsky's flaw is in the same area, "it's a different problem," said Vixie, who is president of the Internet Systems Consortium, the maker of the most widely used DNS server software on the Internet.

By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache-poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."

Kaminsky's remaining critics will have to wait until his Aug. 7 Black Hat presentation to know for sure.