The concern over domain names and whether they can be hijacked by malicious code is accelerating. The BBC's website carries this story, in which Dan Kaminsky is credited with discovering the flaw and he warns that it could be more serious than we'd thought at first. Verisign is in the story rebutting him, but then they would, wouldn't they.
This is the point at which my journalism glands go into overdrive. I know how these stories work (much better than I know the technology) and getting at the truth isn't easy. Let's assume there's a nugget of rock solid, absolute fact in there - even Verisign admits as much in the story. We have to factor a few things in:
1. Kaminsky is speaking for the first time in public about the matter, and he's speaking at the Black Hat conference. Sounds innocuous - but when did anyone ever use a public platform like that to play something down? I don't know Kaminsky but in general people who're about to make speeches at major conferences will have been prepped. That means making a point loud and clear, and it means pushing it as far as it'll go in order to make an impression.
2. The report refers to Verisign as an "Internet giant". This is true enough but it doesn't give the reader any real idea of what they do, or where their authority comes from. It's possible that this is because the reporter didn't think the reader needed to know, and this would probably be sound judgement; it's also possible that the reporter didn't actually know. If the latter is the case (and again, I'm speculating) then it would be difficult for the writer to know how much weight to attach to the Verisign comments.
3. Verisign has so much vested interest in claiming the system isn't as broken as feared that it's almost not worth quoting them. It's like asking Microsoft whether Windows is any good.
So whatever the story says, what's actually happened is that someone else has set up an artificial environment - the conference - in which a speaker has tailored a presentation to his audience. This, clearly, may or may not bear any relation to the subject's actual importance and away from the impetus to put a presentation together the view expressed might have been different. We have a kneejerk response from someone who has vested interests in playing the whole issue down.
I can't be the only one wondering how the story would have looked if there had been no conference or audience and a reporter had just phoned Kaminsky on the offchance, then got a sanity check from someone whose business didn't depend on the Net's solidity. Perhaps it would have been identical but equally, it could have been radically different.