I read a wonderful article in Wired last night. I guess I was out of touch because I didn't even know this happened. Check out this quote from the article:
Kaminsky froze. This was far more serious than anything he could have imagined. It was the ultimate hack. He was looking at an error coded into the heart of the Internet's infrastructure. This was not a security hole in Windows or a software bug in a Cisco router. This would allow him to reassign any Web address, reroute anyone's email, take over banking sites, or simply scramble the entire global system. The question was: Should he try it?
The vulnerability gave him the power to transfer millions out of bank accounts worldwide. He lived in a barren one-bedroom apartment and owned almost nothing. He rented the bed he was lying on as well as the couch and table in the living room. The walls were bare. His refrigerator generally contained little more than a few forgotten slices of processed cheese and a couple of Rockstar energy drinks. Maybe it was time to upgrade his lifestyle.
Or, for the sheer geeky joy of it, he could reroute all of .com into his laptop, the digital equivalent of channeling the Mississippi into a bathtub. It was a moment hackers around the world dream of—a tool that could give them unimaginable power. But maybe it was best simply to close his laptop and forget it. He could pretend he hadn't just stumbled over a skeleton key to the Net. Life would certainly be less complicated. If he stole money, he'd risk prison. If he told the world, he'd be the messenger of doom, potentially triggering a collapse of Web-based commerce.
Can you imagine if he decided to actually go to the black market with this thing?!?! Unfathomable, really.
Luckily a patch was implemented, although not a foolproof one.
Though the Redmond group had agreed to act in concert, the patch—called the source port randomization solution—didn't satisfy everyone. It was only a short-term fix, turning what had been a 1-in-65,536 chance of success into a 1-in-4 billion shot.
Still, a hacker could use an automated system to flood a server with an endless stream of guesses. With a high-speed connection, a week of nonstop attacking would likely succeed. Observant network operators would see the spike in traffic and could easily block it. But, if overlooked, the attack could still work. The patch only papered over the fundamental flaw that Kaminsky had exposed.
I guess 1:4 billion is better than it was pre-patch ;-)