DNS flaw: To tell or not to tell

Dan Kaminsky came out with a whopper of a story a couple of weeks ago about a huge and fatal flaw in DNS. The kicker was that he wasn't telling. Instead, he was going to release it in a talk at BlackHat. Of course, that led to speculation that it was a glorified marketing stunt to keep people interested in his talk. Of course, that theory is essentially rotten at its core because Dan shared the details with DNS vendors so they could patch. So much for selfishness.

But now the beans have been spilled (the Matasano crew accidentally did it when they replied to Halvar's speculations after reading some "DNS-for-dummies-text")., and so you have another whole crew of people coming out all upset because someone told everyone else so that now the hackers are going to be able to get the details and start exploiting before everyone patches. So, some points here:

1. Ummmm.... guess what? There are going to be a BUNCH of people who NEVER PATCH. Yep, that's right. There are some totally clueless and isolated people out there who won't get the news. There are some people who just don't give a crap. And there are some who are a mixture of both. That sucks, but it is reality.
2. Dan did the right thing, and he did a commendable job making this happen without it getting out. I was amazed that this didn't happen until now. As some have speculated, there are probably black hats out there who have already figured it out since they were looking for it immediately after the announcement, but at least the patches are there.
3. But I also don't have an issue with people speculating on it. It is going to happen people. There's no way to shut people up. Sorry to not give proper acknowledgement because I can't find where I read it, but someone said that the cabal approach doesn't work with these cases. I agree. Dan handled it just fine by getting everyone to patch first. It sucks if people don't patch, but at least it is there for the taking.
4. Though I understand why he did it, I don't think Thomas Ptacek should have to apologize for letting out the proverbial big furry purring cat. This is just one of those things that happen. There are too many people looking to sort these things out and tell someone. Should Havlar have done it? Maybe not. But at this point, why keep it a secret? People need to know what is going on if they are expected to do their jobs.
5. As to this taking away from Dan's BH talk, Halvar said in his comments in response to some ridiculous criticism, "Seriously, if you think that my vague mumblings take anything away from Dan's talk, you're insulting Dan. He's one of the leading experts on DNS, and he'll give a talk about much more than the 8 lines of potential bullshit that I wrote."

Seriously people, this is done. Quit griping about it. Just patch and keep working. And go see Dan at BlackHat.

[UPDATE]: I posted some more about this on my personal blog.