PRE-ANNOUNCEMENT: BIND-Members Forum

Larry Sheldon lsheldon at creighton.edu
Thu Feb 1 02:01:03 UTC 2001 

> 
> Larry,
> 
> At 07:30 PM 1/31/2001 -0600, Larry Sheldon wrote:
> >I do not welcome the prospect that my vendor might know about the problem
> ...
> 
> The situation you do not welcome exists now, albeit the list of 
> organizations contacted is maintained by CERT.  What I gather Paul is 
> suggesting is that the list is maintained by ISC, not CERT.

I agree that it exists--my position here is that I also do not welcome an
expansion of that problem, or even a changing of the guard.  I do not have
a good answer or even a well defined idea where a good answer might be.

I do believe that on balance, my best hope is with a free and open exchange
of information.

> > > Or do you believe the appropriate solution to this problem is to tell
> > > everyone at once and hope the product and service vendors are faster than
> > > the exploit writers?
> >That will do for "patronizing" while we wait for somebody that is really good
> >at it to come along.
> 
> It was not intended as patronizing -- it was an honest question.  There are 
> people who believe that by making security issues public immediately 
> strongly encourages folks to come up with solutions faster than they would 
> otherwise.  It is a valid position, albeit not one I agree with.

I'll take that as an apology, and the best answer to your question would
then be something along the lines of "I'd like the vendors (by whom ever paid)
to produce better quality, less frequently "vulnerable" products, for the
discoverers of failures to do that to tell them what they need to know to
repair the damage, and while that is going on, I want to know that I have
been put at risk, and I want to know enough about the risk to do the best I
can to protect myself.

The simple fact seems to be that while the "protectors" are keeping us
in the dark as best they can, the bad guys think it worth the risk that
I might find out while they keep each other fully informed.

My belief is that the bad guys world wide know of a newly discovered
weakness (or worse, a newly created weakness) in a matter of minutes, while
it may be weeks or months before I find out about via the "good guy"
channels.

Something wrong with that picture.
--
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
.                                                                       .
- L. F. (Larry) Sheldon, Jr.                                            -
. Unix Systems and Network Administration                               .
- Creighton University Computer Center-Old Gym                          -
. 2500 California Plaza                                                 .
- Omaha, Nebraska, U.S.A.  68178       Two identifying characteristics  -
. lsheldon at creighton.edu                  of System Administrators:     .
- 402 280-2254 (work)                Infallibility, and the ability to  -
. 402 681-4726 (cellular)               learn from their mistakes.      .
- 402 332-4622 (residence)                                              -
. http://www.creighton.edu/~lsheldon    Adapted from Stephen Pinker     .
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

More information about the bind-users mailing list