PRE-ANNOUNCEMENT: BIND-Members Forum
David R. Conrad
david.conrad at nominum.com
Thu Feb 1 02:19:24 UTC 2001
Larry,
At 08:01 PM 1/31/2001 -0600, Larry Sheldon wrote:
>I do believe that on balance, my best hope is with a free and open exchange
>of information.
If we were talking about (say) a word processor, I might agree. We're
not. We're talking about software that is used in critical points of the
Internet infrastructure that the vast majority of users have no choice in
whether they use or not. It is important to upgrade that infrastructure to
remove vulnerabilities prior to those vulnerabilities being made widely
known. Unfortunately, some organizations that are part of that
infrastructure will only implement patches/upgrades from the vendors they
obtained their software from. In order to insure those parts of the
infrastructure is upgraded, the vendors must be informed with sufficient
time for them to apply the patches/fixes, test, package, and distribute the
new code. The question is how this can be done without making previously
unknown vulnerabilities known to the people who want nothing more than to
prove their 3l33t-ness by running a script someone else wrote that takes
advantage of the vulnerability.
>I'll take that as an apology, and the best answer to your question would
>then be something along the lines of "I'd like the vendors (by whom ever paid)
>to produce better quality, less frequently "vulnerable" products, for the
>discoverers of failures to do that to tell them what they need to know to
>repair the damage, and while that is going on, I want to know that I have
>been put at risk, and I want to know enough about the risk to do the best I
>can to protect myself.
Um. You missed the part about "world peace, global prosperity, and
happiness for all". We're talking about situations where ISC is made aware
of a bug and needs to propagate that information out to appropriate
parties. One can argue exactly who "appropriate parties" are, but
demanding vendors "produce better quality, less frequently vulnerable
products" is pointless. No one, least of all the folk who contribute code
to ISC, intentionally put security vulnerabilities into BIND. The question
is how to deal with that situation once it is discovered.
>My belief is that the bad guys world wide know of a newly discovered
>weakness (or worse, a newly created weakness) in a matter of minutes, while
>it may be weeks or months before I find out about via the "good guy"
>channels.
If a exploit for a vulnerability is made public, it is pointless in the
extreme to keep information about that vulnerability secret. I can't
imagine the ISC board would set up a situation where this could occur.
Rgds,
-drc
More information about the bind-users
mailing list