PRE-ANNOUNCEMENT: BIND-Members Forum

Joseph S D Yao jsdy at cospo.osis.gov
Mon Feb 5 17:40:51 UTC 2001 

On Sat, Feb 03, 2001 at 04:45:54PM +0800, Lawrence Chan wrote:
> It would seem that this members forum thing is a quick and dirty short term
> solution by sacrificing timely and full disclosure for a patching over of
> what is basically a distribution problem (despite Paul's insistence that it
> isn't.)  All Bind users would suffer the same risk from bugs, discovered
> either by ISC or by non-ISC entities.  When a bug is uncovered in the wild,
> full and immediate disclosure would give all users an equal chance to act (at
> worst to simply shut the servers down until help comes rather than
> unwittingly propagating the infected cache or what have you.)  And by playing
> this "father knows best", the distribution problem won't go away and would in
> fact get worse with increase usage.

And just for fun you repeat this FUD twice.

Let's play this out.

Current scenario:

- Somebody (X) discovers potential vulnerability.
- X reports it to CERT and/or ISC.
- CERT tells ISC and select vendors.
- Vendors mill around in mild panic and confusion.  Some actually make
reasonable contributions/suggestions.
- Some vendor(s) and/or implementor(s) come up with a fix or fixes.
- ISC incorporates best of fixes into baseline product.
- ISC notifies CERT and vendors, and sends out a bind-announce message.
- CERT waits for responses from some reasonable subset of vendors.
- CERT sends out its announcement within a day or two.
- Wait for next discovery and repeat.

LETS-TELL-THEM-ALL scenario:

- Somebody (X) discovers potential vulnerability.
- X reports it to CERT and/or ISC.
- CERT tells ISC and select vendors.
- ISC tells EVERYBODY.
- Vendors mill around in mild panic and confusion.  Some actually make
reasonable contributions/suggestions.  Users mill around in even more
panic and confusion, because the decision makers in general have an
even lower clue quotient.  50% of BIND users' bosses order their name
servers shut down immediately until a fix is available, unaware that
thus cut off from civilised society their admins have no way of knowing
or accessing a fix.  [This is based on a real-world scenario with a
different network service.]  Some of the smarter hackers find a way to
exploit this vulnerability, knowing there will necessarily be a window
of opportunity - and they use it.  75% of BIND servers end up being
down as others react to the few that the hackers reach.
- Some vendor(s) and/or implementor(s) come up with a fix or fixes.
- ISC incorporates best of fixes into baseline product.
- ISC notifies CERT and vendors, and sends out another bind-announce
message.
- CERT waits for responses from some reasonable subset of vendors.
- CERT sends out its announcement within a day or two.
- Eventually, the sites whose BIND servers are down read the story in
the Wall Street Journal, the Commerce Business Daily, or the grocery
store tabloids, and bring their networks on-line long enough to grab a
copy of the new BIND, after which they're back up.
- Wait for next discovery and repeat, except this time NOBODY TELLS ISC
SO THAT THE WORLD-WIDE PANIC IS NOT REPEATED.

Pretty cool, eh?  Don't tell me I exaggerated.  Of course I did.
Except that the 50% of the bosses is not an exaggeration - it is an
observation from a previous network panic.  I actually reduced the
number there, lest people stop reading in disbelief.

Let's try this one more time:

- Somebody (X) discovers potential vulnerability.
- X reports it to CERT and/or ISC.
- CERT tells ISC and select vendors.
- ISC tells bind-members.
- Vendors and some of the less clueful bind-members mill around in mild
panic and confusion.  Some actually make reasonable contributions/
suggestions.  Most of these, by no coincidence, are in bind-members.
- Some vendor(s) and/or implementor(s) come up with a fix or fixes.
- ISC testing includes real-time messages to bind-members to help with
the testing [NOTE: this means being attacked or otherwise triggering
the vulnerability].  This speeds up determining the best fix or fixes.
It also makes beta fixes available immediately to bind-members, who
presumably are aware that these may NOT be final fixes, and may in fact
cause worse problems.  [It seems that many people on the 'Net are not
aware of this.  Else why would they keep installing the successive beta
versions of MS Windows that MS calls "releases"?]
- ISC incorporates best of fixes into baseline product.
- ISC notifies CERT and vendors, and sends out a bind-announce message.
- CERT waits for responses from some reasonable subset of vendors.
- CERT sends out its announcement within a day or two.
- Wait for next discovery and repeat.

NOW, you decide.  Which of these three is the best scenario?

NOTE: since I do NOT work for ISC or Nominum, the above are best-guess
scenarios.  If you have not actively participated in such a scenario, I
strongly encourage you not to comment on the scenarios; but of course
you will if you want to.  Anyone who HAS participated in one of these
scenarios or a similar scenario is welcome and encouraged to comment.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list