Halvar Flake is a researcher. Here's how he describes himself on his blog: "I like simple things. And complex things. And drinking beer with people like Fyodor Yarochkin. I like South America. And some parts of Asia, specifically Kuala Lumpur. I like French. I like Spanish. I'd like to like more languages."
Yesterday, based on some of his research, maybe after drinking a bunch of beer, perhaps with someone like Fyodor Yarochkin, he posted a hypothesis on how to exploit a security vulnerability of the Domain Name Server system, which governs the millions of server names on the Internet. He had to be drunk, right? His post suggests otherwise, and maybe he's not wrong for posting it.
A patch for the flaw discovered by security researcher Dan Kaminsky was posted two weeks ago, along with a warning not to discuss the flaw publicly for fear that the information might fall into the wrong hands. Was Halvar was too drunk to notice that part?
Not according to Flake, who states right up front that he disagreed with Kaminsky's position on secrecy to buy vendors time to patch the flaw. "This is a commendable goal," he wrote. "I respect Dans viewpoint, but I disagree that this buys anyone time (more on this below). I am fully in agreement with the entire way he handled the vulnerability (e.g. getting the vendors on board, getting the patches made and released, and I understand his decision not to disclose extra information) except the proposed 'discussion blackout.' " Sounds reasonable to me.
In a nutshell, Flake figured out that if you flood a DNS server with requests for domain names of similar spelling, it can become open to false instructions fed to it by a node posing as a root server. The end result, he asserted, is that a hacker could successfully divert unsuspecting Internet users a site with malicious intent.
Flake counts among his favorite movies the 1998 thriller "Lock, Stock and Two Smoking Barrels." Hey, how bad could the guy be?