I'm back from BlackHat 2008 and had a great time. This year, most of the press coverage was on Dan Kaminsky's DNS vulnerability. Dan is smart, clever, and will always go out of his way to recognize other people's good work - gotta love it.
This weakness in DNS has been seen by some as over exaggerated and by other as one of the deadliest the Internet has seen in years. No matter where you stand on the issue, the problem is what this weakness makes feasible and not the weakness itself.
Although the discussion is about DNS, your countermeasures should focus on man-in-the-middle (MiTM) attack scenarios - this is where the game is played. This weakness when exploited makes many MiTM attacks extremely feasible and difficult to detect by the victim at the time of the incident. If the attacker is able to get in the middle of the applications you are using directly (your web browsing, file transfers, etc) or ones that you use indirectly (auto-updating of software packages, automated agents including email MUA/MTA), you better hope there is proper cryptographic methods to protect the data and validate the other-end of the connection. Not only are most applications in bad shape but studies have shown that if you warn a user about this type compromise during their session, they will likely just click-through the warnings because remember, they are busy and need to get their work done. More about this behavior later.
Now before you start blaming the big bad Internet for being so insecure, when did someone say it was ok to start trusting services like DNS anyway? Some of the very first requirements for the Internet was that "the host shall never trust the network, and the network shall never trust the host". The sooner we all stop trusting insecure protocols, the better. I'm not saying stop using them, I'm saying use them but know their limits and be accountable for the risks within your design.
Why do people take shortcuts in their designs, cheat when they don't think they will get caught, and generally pick the "easy" route? Because we are creatures that favor convenience and the Internet and its protocols are dangerously convenient. We like all other living organisms fundamentally are wired to conserve energy. We will always try to find the most efficient path to our goals and in turn do so at some risk. We are quick to understand the benefits of an action but not always quick to evaluate at what future cost.
The Internet and its protocols are dangerously convenient. Can we not design systems that are both convenient and secure? The correct but not so useful answer here is "It Depends". My point in all of this was that these social biases point toward a much more fundamental security issue than any line of code. We must never forget that we are not designing system for arbitrary faults, we must design knowing there is an active opponent out there trying to get at something of ours that has a high utility to them and when they have taken it from us, we still have it.