ANDREA SEABROOK, host:
Imagine your job is to install home security systems. You wire the houses, you put in the keypads, you make sure the people all over the neighborhood are safe from burglars. Then one day you're working on a house and you discover there's a simple way to cross a couple of wires that completely disables the alarm. Not only that, the maneuver makes the front door pop open and the homeowner's credit card spit out onto the front porch and every house on the street is vulnerable.
That's pretty much what happened a few months ago, but to a guy who specializes in Internet security. He discovered a problem with the basic wiring of the Internet that could very easily be exploited by hackers. In a minute we're going to talk to that guy but first we turn to NPR's resident online media guru Andy Carvin. Andy, help me make sense of what this whole problem is.
ANDY CARVIN: Whenever you go online, every Web site has an address that you're familiar with. NPR has got NPR.org; Google is google.com. You know, you might have a bank that's called yourlifesavingsbank.com.
CARVIN: But really behind the scenes there's a number associated with every Web site. So, for example, Google's Web site isn't actually google.com. It's 220.127.116.11. Doesn't exactly roll off the tongue, does it?
CARVIN: And so to make life easier they have this system in place on the Internet called the domain name system, or DNS.
CARVIN: And it's basically a directory that's kept by servers all over the world to make sure that when you type in whatever words, like google.com or NPR.org, it knows hot to look up the proper number and send you to the right computer.
SEABROOK: So, I type in yourlifesavingsbank.com, right?
CARVIN: And it looks up the number that is the official number associated with the server that hosts that Web site.
SEABROOK: So, it's sort of like calling directory assistance.
(Soundbite of ding)
Unidentified Woman #1: DNS, Directory Assistance.
CARVIN: As far as you know you've typed in the Web site you want to go to and then you're there.
Unidentified Woman #1: I'm transferring you now.
Unidentified Woman #2: Your Life Savings Bank, how may I help you?
CARVIN: This DNS system has been operating for years with a big hole in it. And this hole allows people to come in, hack into this system and start switching numbers around.
SEABROOK: So, when I type in yourlifesavingsbank.com…
CARVIN: It could go to a fake Web site where criminals are waiting to collect your personal data.
Unidentified Woman: I'm transferring you now.
Unidentified Man: This is Your Life Savings Bank. Please input your Social Security Number.
SEABROOK: It sounds bad.
CARVIN: It could be very bad if people start exploiting it, which is why there are people scrambling all over the world right now trying to patch these DNS servers. Thousands upon thousands of them, someone needs to manually go in and patch that hole.
SEABROOK: Andy Carvin is our online media guru at NPR. Thanks so much, Andy.
CARVIN: Thanks for having me.
SEABROOK: Now the guy who discovered this flaw. His name is Dan Kaminsky. He's with the Internet security company IOActive, and he's a consultant for Microsoft. Dan Kaminsky, thanks for coming in. I know you're at member station KUOW in Seattle.
Mr. DAN KAMINSKY (Consultant, IOActive): It's great to be here.
SEABROOK: The thing that I think is so dramatic about this story is the secret meetings that you had with the world's Internet giants - Microsoft, Cisco, Linux. But before we get there, let's start with how you found this problem in the first place.
Mr. KAMINSKY: I was just trying to make the Internet faster. I was just trying to find a better way to move you from a slow server to a fast server. I realized I had some techniques from a previous talk that might be applicable. But then I said I don't know, this can't work. 'Cause if this works, the hitter, that's going to be in a whole bunch of trouble and then it totally worked.
SEABROOK: It worked. Oh no.
Mr. KAMINSKY: You want to talk sinking feelings. I'm like, this is really simple and really problematic in the entire process of what do I have to do about this. This bug is in the original specification from 1983.
SEABROOK: So, what'd you do? You called this secret meeting.
Mr. KAMINSKY: The summit was on March 31 from nothing to people flying internationally all into Redmond five weeks.
SEABROOK: And in complete secret?
Mr. KAMINSKY: We all had something to lose.
(Soundbite of laughter)
SEABROOK: Yeah, I guess. I mean, these are big players on the Internet.
Mr. KAMINSKY: That was the thing. I mean, at the end of the day we're all engineers and we all see the bridge and we see the bridge is swaying.
SEABROOK: Okay. So, you come out of this meeting with an idea for how this can be fixed with, you know, a patch for this flaw. But you in fact came out and said there's a bug somewhere. We're not going to tell you what it is but here's a patch. I mean, you kept the bug secret for a long time and there are lots more companies out there who have these servers that need to be fixed than just the ones you convened in that secret meeting.
Mr. KAMINSKY: In the security community I am known as the guy who does DNS. So, I kind of thought I was enough and I was wrong.
SEABROOK: Were you afraid that if you told people about this bug that it would be immediately be exploited?
Mr. KAMINSKY: Yeah.
SEABROOK: But then this week someone actually figured out what the flaw was and posted it online. So, where are we now?
Mr. KAMINSKY: The results are good. I mean, we started out with 80-plus percent of hosts vulnerable.
SEABROOK: Oh wow.
Mr. KAMINSKY: Now, almost 50 percent.
SEABROOK: All right. That's good progress. But, I mean, if 50 percent of the people coming here sites are vulnerable to this bug, what does that mean? I'm going to go online this weekend and, you know, check my bank balance and buy something from the Web site. And how do I know I'm not just giving away my information, my money?
Mr. KAMINSKY: The honest truth is, is that this is the responsibility of the Internet service provider and of the company and of the people who maintain infrastructure to actually deploy fixes. The average consumer shouldn't have to worry about this.
SEABROOK: You're an Internet security expert, so I have to ask: are you making money off of this? Is this, like, a good business for you?
Mr. KAMINSKY: Let's just say this hasn't exactly been good for billable hours.
(Soundbite of laughter)
Mr. KAMINSKY: I'm spending a whole bunch of time doing work 'cause I want my mom to be able to use the Internet.
SEABROOK: Dan Kaminsky - he's an Internet security expert from Seattle, Washington. Dan Kaminsky, thank you so much for speaking with us.
Mr. KAMINSKY: I'm glad to be here.
SEABROOK: So, if you want to see whether you're vulnerable, you can find a link to test your Internet connection on our Web site, NPR.org. Or you could type in 18.104.22.168.