PRE-ANNOUNCEMENT: BIND-Members Forum

David R. Conrad david.conrad at nominum.com
Thu Feb 1 02:19:24 UTC 2001 

Larry,

At 08:01 PM 1/31/2001 -0600, Larry Sheldon wrote:
>I do believe that on balance, my best hope is with a free and open exchange
>of information.

If we were talking about (say) a word processor, I might agree.  We're 
not.  We're talking about software that is used in critical points of the 
Internet infrastructure that the vast majority of users have no choice in 
whether they use or not.  It is important to upgrade that infrastructure to 
remove vulnerabilities prior to those vulnerabilities being made widely 
known.  Unfortunately, some organizations that are part of that 
infrastructure will only implement patches/upgrades from the vendors they 
obtained their software from.  In order to insure those parts of the 
infrastructure is upgraded, the vendors must be informed with sufficient 
time for them to apply the patches/fixes, test, package, and distribute the 
new code.  The question is how this can be done without making previously 
unknown vulnerabilities known to the people who want nothing more than to 
prove their 3l33t-ness by running a script someone else wrote that takes 
advantage of the vulnerability.

>I'll take that as an apology, and the best answer to your question would
>then be something along the lines of "I'd like the vendors (by whom ever paid)
>to produce better quality, less frequently "vulnerable" products, for the
>discoverers of failures to do that to tell them what they need to know to
>repair the damage, and while that is going on, I want to know that I have
>been put at risk, and I want to know enough about the risk to do the best I
>can to protect myself.

Um.  You missed the part about "world peace, global prosperity, and 
happiness for all".  We're talking about situations where ISC is made aware 
of a bug and needs to propagate that information out to appropriate 
parties.  One can argue exactly who "appropriate parties" are, but 
demanding vendors "produce better quality, less frequently vulnerable 
products" is pointless.  No one, least of all the folk who contribute code 
to ISC, intentionally put security vulnerabilities into BIND.  The question 
is how to deal with that situation once it is discovered.

>My belief is that the bad guys world wide know of a newly discovered
>weakness (or worse, a newly created weakness) in a matter of minutes, while
>it may be weeks or months before I find out about via the "good guy"
>channels.

If a exploit for a vulnerability is made public, it is pointless in the 
extreme to keep information about that vulnerability secret.  I can't 
imagine the ISC board would set up a situation where this could occur.

Rgds,
-drc

More information about the bind-users mailing list