Web security is a touchy thing. We’re often told of existing vulnerabilities and design flaws after they’ve been remedied (the result of a courtesy paid by some hackers to prevent malicious abuse), so most of us remain unaffected as we go about our daily business online. A surprising number of individuals are still susceptible to damage done by manipulators of code as well as through blanket campaigns via email and the like to intentionally misdirect Web users to divulge sensitive data. But for the most part, things are “okay” for the majority. That is, unless a security company happens to mistakenly post information to its corporate blog that paves the way for opponents to eagerly exploit at will.
Yes, as Ars Technica and Computerworld have noted, something that would seem highly improbable was given a grand example earlier this week by an unnamed individual at Matasano Security. [img src="http://sale-online.click/wp-content/uploads/2008/04/dankaminsky.jpg" caption="" credit="" alt=""]The story is summarized like so: security researcher Dan Kaminsky (pictured at right) noticed a DNS flaw; Matasano acknowledged; both kept the secret for many weeks, while corrections were put in order; someone purportedly commented on Kaminsky’s finding online; someone at Matasano then posted a message on the company blog regarding said comment. The rest, as they say, is history.
Soon thereafter, the post was removed, and an apology by Matasano principal Thomas Ptacek was delivered. He said, in effect, “We dropped the ball here.”
You know those examples of corporate social media we provided earlier this week? It seems this slip by Matasano puts a bit of a black eye on the whole idea at the moment.