nanog mailing list archives

Re: Reasons why BIND isn't being upgraded

From: Patrick Greenwell <patrick () cybernothing org>
Date: Fri, 2 Feb 2001 15:42:49 -0800 (PST)


On Fri, 2 Feb 2001, Joe Rhett wrote:

Without rehashing the whole "open-disclosure" vs. "non-disclosure" 
arguments related to security issues in software, or the historically
extreme inadequacies of CERT in offering timely notification of ANY 
security-related issues, it's very disappointing to see ISC resort to a
fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and
"we'll update people via CERT" method of dealing with the community they
have served for so long.

I would have hoped by now that lists such as Bugtraq would have adequately 
exhibited the folly of such methodologies.

 
The purpose of the list doesn't appear to circumvent Bugtraq -- you're
comparing two different issues.


I suggest you re-read the pre-announcement, and also factor in other
statements made by Paul that the community will now be notified via CERT
when security problems occur. CERT has historically been worthless in this
regard(IMO). By the time they release warnings, the problems have been
well known among the security and dark-hat communities for weeks, months
or in extreme cases years. In all fairness I believe this has been
due to the vendors being unwilling to release the information, rather than
due to any fault of CERT staff. 

In any case the result is the same: information is late in coming to
anyone that relies on CERT for that information, exposing those
individuals/organizations to a greater level of vunerability and risk than
they would otherwise face. It's foolish to rely on CERT notifications as
the most timely information one could acquire.
 
Finally, I'm not sure what you'd call NDAs that would prevent disclosure
of security problems, but I'd say that's about as opposite of Bugtraq as
you can get.  

P.S. AboveNet is taking the latest BIND vunerability(ies) seriously enough
that they are beginning wholescale scans of their address space. Draw your
own conclusions related to masking version numbers.

Current thread:

Re: [NANOG] Re: Reasons why BIND isn't being upgraded, (continued)
- - - Re: [NANOG] Re: Reasons why BIND isn't being upgraded Pim van Riezen (Feb 24)
    - Re: [NANOG] Re: Reasons why BIND isn't being upgraded J Bacher (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Greg A. Woods (Feb 24)
- Re: Reasons why BIND isn't being upgraded Paul Vixie (Feb 24)
  - Re: Reasons why BIND isn't being upgraded Adam McKenna (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Greg A. Woods (Feb 24)
  - Re: Reasons why BIND isn't being upgraded Patrick Greenwell (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Bill Woodcock (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Patrick Greenwell (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Joe Rhett (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Patrick Greenwell (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Kevin Oberman (Feb 24)
    - Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) mdevney (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Mikael Abrahamsson (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Stephen Stuart (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) alex (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasonswhy BIND isn't being upgraded) Steve Sobol (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasonswhy BIND isn't being upgraded) Henry R. Linneweh (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Steve Rubin (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Stephen J. Wilcox (Feb 24)
    - Re: Vixie doing his part to make people upgrade (was:Re: Reasons why BIND isn't being upgraded) Mikael Abrahamsson (Feb 24)

(Thread continues...)