Kaminsky said the short-term impact from the bug going public is that some administrators will have to take down their networks unexpectedly in order to patch.
But he had little sympathy for those who had brushed off his earlier warnings. "Some people said,'I can't justify doing anything without knowledge of the exploit,'" Kaminsky said. "To those people, all I can say is,'So, do you feel safer now?'"
Kaminsky also had words for security researchers who don't understand how difficult it is to organize a large-scale patching effort, or even how much time it takes to patch a widespread flaw throughout a corporation's network. "Our job as security researchers isn't just to find bugs, but to get them fixed," he argued. "Breaking stuff is easy. Who has the easier job? The one who finds the bug or the one who helps fix it? The hacker has the easier job here.
"This isn't a trivial patch. It's going to take a huge amount of effort. A lot of organizations are going to be rough on their IT staffs to get this done."
He was encouraged, however, by the progress that had been made in patching the bug, even in just 13 days. "There are a lot of people who have patched, not a majority, but 30 per cent to 40 per cent of those tested [using a widget on Kaminsky's site were safe. Those are enormous numbers for such a short time. Is that everyone? No," said Kaminsky. "But those that started [when patches were first available] have a two-week head start over those who waited."
Kaminsky, however, wasn't ready to get specific about what he would have done differently. Those lessons, he said, would have to wait until after Black Hat. "I did everything I could for my customers," he concluded. "I have taken a lot of dings, but I would do it again."