nanog mailing list archives
Re: Reasons why BIND isn't being upgraded
From: Patrick Greenwell <patrick () cybernothing org>
Date: Fri, 2 Feb 2001 15:42:49 -0800 (PST)
On Fri, 2 Feb 2001, Joe Rhett wrote:
Without rehashing the whole "open-disclosure" vs. "non-disclosure" arguments related to security issues in software, or the historically extreme inadequacies of CERT in offering timely notification of ANY security-related issues, it's very disappointing to see ISC resort to a fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and "we'll update people via CERT" method of dealing with the community they have served for so long. I would have hoped by now that lists such as Bugtraq would have adequately exhibited the folly of such methodologies.The purpose of the list doesn't appear to circumvent Bugtraq -- you're comparing two different issues.
I suggest you re-read the pre-announcement, and also factor in other statements made by Paul that the community will now be notified via CERT when security problems occur. CERT has historically been worthless in this regard(IMO). By the time they release warnings, the problems have been well known among the security and dark-hat communities for weeks, months or in extreme cases years. In all fairness I believe this has been due to the vendors being unwilling to release the information, rather than due to any fault of CERT staff. In any case the result is the same: information is late in coming to anyone that relies on CERT for that information, exposing those individuals/organizations to a greater level of vunerability and risk than they would otherwise face. It's foolish to rely on CERT notifications as the most timely information one could acquire. Finally, I'm not sure what you'd call NDAs that would prevent disclosure of security problems, but I'd say that's about as opposite of Bugtraq as you can get. P.S. AboveNet is taking the latest BIND vunerability(ies) seriously enough that they are beginning wholescale scans of their address space. Draw your own conclusions related to masking version numbers.
Current thread:
- Re: [NANOG] Re: Reasons why BIND isn't being upgraded, (continued)
- Re: [NANOG] Re: Reasons why BIND isn't being upgraded Pim van Riezen (Feb 24)
- Re: [NANOG] Re: Reasons why BIND isn't being upgraded J Bacher (Feb 24)
- Re: Reasons why BIND isn't being upgraded Greg A. Woods (Feb 24)
- Re: Reasons why BIND isn't being upgraded Paul Vixie (Feb 24)
- Re: Reasons why BIND isn't being upgraded Adam McKenna (Feb 24)
- Re: Reasons why BIND isn't being upgraded Greg A. Woods (Feb 24)
- Re: Reasons why BIND isn't being upgraded Patrick Greenwell (Feb 24)
- Re: Reasons why BIND isn't being upgraded Bill Woodcock (Feb 24)
- Re: Reasons why BIND isn't being upgraded Patrick Greenwell (Feb 24)
- Re: Reasons why BIND isn't being upgraded Joe Rhett (Feb 24)
- Re: Reasons why BIND isn't being upgraded Patrick Greenwell (Feb 24)
- Re: Reasons why BIND isn't being upgraded Kevin Oberman (Feb 24)
- Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) mdevney (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Mikael Abrahamsson (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Stephen Stuart (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) alex (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasonswhy BIND isn't being upgraded) Steve Sobol (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasonswhy BIND isn't being upgraded) Henry R. Linneweh (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Steve Rubin (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Stephen J. Wilcox (Feb 24)
- Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Mikael Abrahamsson (Feb 24)
- Re: Reasons why BIND isn't being upgraded Adam McKenna (Feb 24)