BINS Members forum (was: tsig exploit)
Claude Marinier
claude.marinier at dreo.dnd.ca
Thu Feb 8 18:19:31 UTC 2001
I thought that the issue was
Should ISC tell the world about a security problem at the
same time as they tell those who re-distribute or should they
tell the world after those re-distributors have had time to
work on a solution?
or, more generally,
Should one tell the world about a security problem before
there is a fix?
What is the difference between tell everyone as soon as possible and tell
everyone after there is a fix? I am asking because it is not clear. Many
crackers will know of a problem before ISC and the news will spread. Some
less informed crackers may learn of it sooner if ISC tells as soon as they
know. What do you (as a user) gain from early disclosure? As a developer,
you gain from early disclosure and I read that there is provision for that
in the proposed BIND Members forum (even waived fees in some cases).
On Thu, 8 Feb 2001, Terje Bless wrote:
> On 08.02.01 at 08:58, Adam Augustine <adam_augustine at morinda.com> wrote:
> >I don't mean to be tedious with all the BIND Members forum stuff going on,
> >but a working TSIG exploit (not the nai.com one... well that one also :-()
> >has been circulating the IRC cracker channels for about a month now (if
> >not longer).
> >
> >The kiddies had their exploit a long time ago.
>
> But that's not important because so long as ISC and it's nearest and
> dearest vendors close their eyes real tight and don't tell anybody
> about it there isn't a problem. *poof* It's gone. La-la-la-la-la I
> can't hear you! la-la-la-la
--
Claude Marinier, Information Technology Group claude.marinier at dreo.dnd.ca
Defence Research Establishment Ottawa (DREO) (613) 998-4901 FAX 998-2675
3701 Carling Avenue, Ottawa, Ontario K1A 0Z4 http://www.dreo.dnd.ca
More information about the bind-users
mailing list