As I expected, there has been a flood of responses to the news about ISC's
plan for a bind-members program. Rather than approve each, I have
summarized many of them here. I realize that this is an emotional issue
for many, but please remember that posts consisting of the entire original
message with the addition of "Yeah, this sucks!" or the like will not be
approved, so please don't bother :)

-----------------------------------------
From: achurchachurch.org (Andrew Church)

     I think it's a good excuse to get back to work on the DNS server
I was working on when I was at university...

     On a more serious note, while I think this is a stupid idea,
I'm not actually sure it will have much effect given the existence of
Bugtraq; ISC can't stop outsiders from releasing advisories and such.
The one thing I could see it doing would be shaking confidence and
trust in BIND and its developers. Heck, even Microsoft publishes
security reports; if ISC can't, does that mean they maybe have
something to hide?

     Then again, another question is how many interested parties
would be willing to sign the "strong NDA" the message calls for...

-----------------------------------------------
From: Joshua Fritsch <joshua.fritschnyfix.com>

[ Blatantly obvious statement follows since it seems some people need a
reminder.... ]

This won't help anything other than giving the organizations with more
money/resources an advantage over others. IMHO, if you want to stomp out the
problem, you need to disseminate it far and wide (along with the solution),
which will render the hole useless to those that would exploit it.

However, decisions like these may lead to alternatives to BIND (some of
which may work much better) - - so if they want to run themselves out of
business, falling victim to people that understand the need for
full-disclosure...... *shrug*

----------------------------------------------
From: Robert van der Meulen <rvdmlin-gen.com>

> 1. Not-for-profit members can have their fees waived
This helps distributers of Free software, but closes it off for the rest.
Bad. Independent security consultants/interested parties and developers
whose company doesn't want to/can pay are denied information.

> 2. Use of PGP (or possibly S/MIME) will be mandatory
Good. but it's open information, as far as i'm concerned ;)

> 3. Members will receive information security training
Only trained members are allowed to talk? The next step might be
(paid) certification for the right to read about your own system's security.

> 4. Members will sign strong nondisclosure agreements
_BAD_.
I'm allowed to read (if ofcourse, i'm a member, went trough the exam, did my
rites, and offered my firstborn) about security stuff that implicates me, my
ISP, and the internet in general - but i'm not allowed to share?
If my ISP, or a party i have to semi-trust for security runs buggy software,
i like to be able to tell them.
What happens if one of the members starts an 'underground' fan-out ?
exploits will be in the wild, but cannot be reported, fixed, or acknowledged
publicly - apart from ISC-originating messages, ofcourse.
The members will be bound on hands and feet, and will not be able to speak
about what they learn and know.

> 1. Private access to the CVS pool where bind4, bind8 and bind9 live
> 2. Reception of early warnings of security or other important flaws
'early warnings' ?? This means that buggy, insecure bind versions can be
running anywhere, and only the 'elite bind-members crew' is allowed to know?
Sick.

> If you are a BIND vendor, root or TLD server operator, or other interested
> party, I urge you to seek management approval for entry into this forum, and
> then either contact, or have a responsible party contact, isc-infoisc.org.
I urge anyone with brains _not_ to participate. It probably won't do any
good, as people will value the knowledge more than the fact that the setup
sucks.
If i was the rebellious type, i would try to get a public fan-out
up-and-running as soon as possible (ofcourse implying nothing here, letting
ISC mess up their own mess will probably work out for the best in the end,
anyways)

-----------------------------------------------
From: "Larry W. Cashdollar" <lwcVapid.dhs.org>

 This means only system crackers and paying parties will be aware of
security issues. How is this model going to benifit the internet as a
whole and the security community? I rely on free information from lists
like bugtraq and cert to keep my systems secure. I now have to pay for
my own security?

----------------------------------
From: antirez <antirezinvece.org>

Yes, it sounds very terrible. Even worse BIND may be just the start,
(an emblematic one). Anyway all we know that the major part
of the security vulnerabilites are discovered by indipendent
groups or individuals, that will post the new security problems
discovered in publically accessible mailing lists like bugtraq,
so I feel that this can't have a very big impact for the people
that want to get security-related information using the old channels.

Probably the fee is required to provide an information that is
suitable for parts that don't own good technical skills.

A more hard problem may be if someone will pay indipendent researchers
if they reports new vulnerabilities only to the vendor. This will
create a closed-security that fits the business model of the close-source.

-----------------------------------------
From: Kee Hinckley <nazgulsomewhere.com>

It's been clear to me for some time that the costs of being a small
company on the "unfiltered" internet are going to eventually be
unmanageable. Eventually the only people who will be able to afford
an unmanaged internet connection will be large companies. Everyone
else will be sitting behind ISP firewalls or using a third party
services.

I spend more and more of my time handling security issues, dealing
with spam (somewhere.com appears to have hit the 200,000
messages-per-month mark for email directed to non-existent email
accounts) and doing general system administration. Moving core
applications like BIND to a tiered support model means that if I want
to stay ahead of the hackers I have to trust the reaction times of
the tiers above me. And if I want timely notification I may also
have to buy a support plan from somebody in the tier.

On the other hand, I can see their goal. Right now it's a mad race
to upgrade, the bad guys and the good guys get the notice at the same
time. If they create a restricted circle they might be able to get
the upgrade into the pipeline before the reason for the upgrade
becomes public. But then of course, we're back to the situation
where the decision about what is critical and what is not is made
behind closed doors.

Damned if you do, damned if you don't.

-----------------------------------------------------
From: "Barry W. Kokotailo" <cerberustelusplanet.net>

I would like to hear an explanation as to why ISC would need to charge a fee to
access a service
that for many years were free and open to the Internet community.

At the same time, it would allow for competition in the DNS marketplace by
allowing private firms to offer possibly superior bind products at a competitive
fee with ISC.

The ability of any member to access the CVS source tree for such an important
component of Internet life is of a concern. Some details as to how ISC is going
to maintain a secure base would be in order.

Since the ISC bind distribution is in wide use world wide, I would question the
reasoning here.

------------------------------------------
From: Seth Arnold <sarnoldwillamette.edu>

I don't think it is so bad. It is all part of the free market economy --
ISC moves to this format, and people will switch to using DNS servers
that do not require paying for security information. It is likely DJB's
tools will fill in much of the void. And, based on the histories of both
DJB's tools, and ISC tools, I think this change is liable to be a good
change.

It might be the end of ISC, but the rest of the world will adapt pretty
well. :)

---------------------------------------------------
Winner of the "short sweet and to the point" award:
---------------------------------------------------
From: Christopher Palmer <chrispbitstream.net>

http://cr.yp.to/djbdns.html
http://sourceforge.net/projects/dents/

----------------------------------------
From: Rich Puhek <rpuheketnsystems.com>

1) What about the recent events have "very clearly shown...the need for a
fee-based membership..."? Sure, we see the usual race for the kiddies to get
scripts and the vendors to release pathes, but we're heading into an arguement
that's played out on bugtraq many times before.

2) Why would members need a strong NDA? This is an open source project after all
(see ISC's web page for their thoughts on open source). I suppose future plans
could fall under a NDA even for an open source project, but an NDA and open
source don't seem to work well together.

3) Who will ISC consider "qualified parties"?

4) Does ISC anticipate that the bind-members forum will be the only party to
discover security flaws in the future (hence the "early-warning" benefit).

5) Are support contract sales at nominum lagging
(http://www.nominum.com/services/support/)?

6) Does "private access" to the CVS pool mean that the latest builds will
essentially be closed-source?

I can see the advantages of creating a tighter pool of developers that have
access to in-person meetings and an internal mailing list. Restricting security
information isn't a good idea as far as I'm concerned. Getting away from open
source just isn't good.

----------------------------------------
From: Dan Grillo <Dan_Grillogrillo.net>

I agree. If ISC is charging money to distribute information,
they'll need to show the people that are paying the money "value".

They only way to provide "value" to the payers is to
withhold (delay, dilute, etc) information from the general community.

-------------------------------------
From: woodsweird.com (Greg A. Woods)

I agree -- I think it's a very bad turn of events, and hopefully not a
sign of things to come!

On the other hand I would not oppose something more of the form I first
imagined when someone proposed that there should be a more formal way to
notify TLD operators and commercial software vendors. Certainly if they
wish to receive timely and professional notices of updates and fixes to
the BIND software then it would be in the best interests of all of us to
allow them to pay ISC a fee for such a service.

However I would most strongly oppose any attempt to make those
announcements "secret" through NDA or other forms of legal protection.
That could only damage the community.

-------------------------------
From: <freedom2001freesurf.fr>

"Need more money " resum his point of view. I think too, it's antinomic
with Internet mind (I help you, you help me for free). So probably an other
community will be created for free to do the same things of isc.org ;-)

-----------------------------------------
From: "Steve" <stevesecuresolutions.org>

To me this looks like another attempt to keep vulnerability information from
reaching the general public. Terrible idea and in my opinion a large step
backwards. The general state of security is much farther ahead because of
(responsible) FULL DISCLOSURE. The recent BIND vulnerabilities highlight
just that, major flaws where found, CERT was involved in contacting vendors
and patching the issues. Once the issues have been addressed, multiple
advisories are released. This model is used time and time again and has
proven to be very effective.

-------------------------------------------------
From: "Martin A. Brooks" <martinhinterlands.org>

ISC have done the Internet and the Open Source Community a favour by being
the maintainers of the BIND package for so long and I can appreciate that
this must be purely a loss maker for them. That aside, this is a
Microsoft-alike approach (think MSDN), that will end up obscuring problems
and retaining information; imo, the two best aspects of using open source
software.

If ISC are going to insist on this fee based system then, sadly, it might
be time for a new maintainer to step forward.

-----------------------------------------------
From: Daniel Brandt <daniel.brandtmeridium.se>

Like Richard Stallman said: "When you sign a nondisclosure agreement, you
are saying: 'I will screw fill-in-the-blank'". Why limit access to the code?
It sounds counter productive (now when open source is finally being accepted
by software companies).

People are late patching their servers at it is, why delay it further by
putting in a middle hand like this? The vast majority of people running
bind-servers won't be entitled to be members of this "elite"-forum.

I'm sure this idea will NOT have a positive effect.
-----------------------------------
From: Mark (Mookie) <markzang.com>

They will find themselves in a similar situation to FIRST. FIRST members were
breached because their information was not openly distributed so this resulted
in a situation where specific targets were created. Because members were then
a target they were deliberately attacked where as before they might have been
ignored. (Not /always/ the case).

<snip>

ISC will have to face the consequences if they follow a similar path. People
will target them and the BIND closed group if the information sources they
currently use dry up. Who would join such a group knowing it was paramount
to putting on a glow-in-the-dark shirt during a night attack. Not I. And to
be asked to pay for the priviledge?!? Jolly.

------------------------------------------------------
From: Adam Manock <abmanockspamsucks.planetcable.net>

I have a particular problem with the feature below:

> 2. Reception of early warnings of security or other important flaws

So the rest of us are NOT warned until later? Perhaps when it's too late?

As if the constant security problems with BIND weren't enough, one Black
Hat on the "pay" list getting an "early warning" of a security problem could
certainly make things worse.

On a side note: There are alternatives to BIND
I sure am glad I already switched to D. J. Bernstein's djbdns.
Readers might be interested in: http://cr.yp.to/djbdns if they feel they can
no longer "trust" BIND. Note: http://cr.yp.to/djbdns/guarantee.html

-----------------------------------
From: Alex de Haas <alexhoeba.org>

We live in a free world. So parties selling security information
are in their right. We can condemn it, say we don't like it, but
it's their choice in the end.

I think as long as real free speech is allowed, sources like
Bugtraq will remain in existence, providing people with small
wallets, conflicting ethics and/or ideals with information.

It might even ignite competition between the closed, fee based
sources and the free and open sources of security information.

Then, who do you trust? Commercial entities with a possible hidden
agenda, or open minded individuals trying to help you stop a possible
security breach as soon as it's known?

Closing BIND can inspire people to write their own software. djbdns
is an example of this.
It'll probably stop a bunch of script kiddies, but high profile
businesses will possibly have a false sense of security, for=20
hackers/crackers* won't be stopped by a closure of security
information around BIND.

So, IMHO, ISC is being naughty, but I think it won't work out
as they hope it will.

(* =3D pick your choice)

-------------------------------------------
From: Sid Van den Heede <sidvopentext.com>

This is very very sad. It's unfortunate when good people go bad.

As a compliment to Paul Vixie, closing the BIND source as he is clearly
suggesting (first point under "features...") would be about as bad as closing
the Linux source. That's an indication of how important it is.

Almost everybody depends on BIND for, well, just about everything to work on
the Internet and on private IP networks. To make it unavailable is
unconscionable. Of course, it also would force a new DNS project, which would
be guaranteed to remain Open Source, and ultimately BIND would become
irrelevant.

By closing BIND, and making us rely on vendors, we're back to the bad old days.

One wonders what Paul was thinking. Which particular "recent events" is he
referring to, and how have they "very clearly shown" the need for this
draconian change.

---------------------------------
From: Todd Herr <therrva.rr.com>

I'm not convinced that this is a wholesale change in direction. I
don't see anywhere in this announcement that CERT advisories and
the like won't still be released to the general public. Look again
at the restrictions on the membership, and at the features and
benefits.

This new list would be for OS vendors and name server operators
of root nameservers and TLD name servers, not operators of
nameservers at <yourdomaingoeshere>.{com|net|org}. I read it as
more of an "Early-Access" list for organizations that stand most
to benefit by knowing about coming changes due to vulnerabilities.

--------------------------
From: ahowardnoerrors.com

> Recent events have very clearly shown...

How have recent events shown a clear "need for a
fee-based membership forum" ? I am a dimwitted
fool with no comprehension for this clear need.
Please enlighten me.

>consisting only of:
>
> 1. ISC itself
> 2. Vendors who include BIND in their products
> 3. Root and TLD name server operators
> 4. Other qualified parties (at ISC's discretion)

So basically, ISC is going to (at its "discretion")
decide for us who is worthy of receiving information
instead of putting it out there to let those who may
benefit do so.

> Requirements of bind-members will be:
>
> 1. Not-for-profit members can have their fees waived
> 2. Use of PGP (or possibly S/MIME) will be mandatory
> 3. Members will receive information security training
> 4. Members will sign strong nondisclosure agreements

I have no problem with 1-3. I think the NDA is a HORRIBLE
idea. So not only are they going to limit who they decide
to talk to but they are going to force those people not to
talk to anyone else (about BIND).

> Features and benefits of "bind-members" status will include:
>
> 2. Reception of early warnings of security or other
> important flaws

Number 2...The important one. Members get early warnings.
All the other people out there who use BIND, well...looks
like they're screwed. After all, the NDA would likely
forbid the members from telling everybody about such
vulnerabilites.

I never understand why someone thinks that if they were
smart enough to discover a security vulnerability THAT
NO ONE ELSE IS! Makes *no* sense whatsoever. It strikes
me as arrogant, condescending, elitist hogwash.

I fear it would lull folks into a false sense of security
and that it is just another attempt at security through
obscurity.

--------------------------------------------
From: Security Admin <securitycyberlink.ch>

VERY harmful. This is screaming for a code-fork, for the same procedure
that happend with SSH. If ISC doesn't back off, we're soon gonna have
OpenBind.

> Requirements of bind-members will be:

> 4. Members will sign strong nondisclosure agreements

This is heavy. I wouldn't do that. I'd rather write my own DNS.

> Features and benefits of "bind-members" status will include:
>
> 2. Reception of early warnings of security or other important flaws

And this sounds rather fishy as well. Is nominum perhaps pulling strings?

----------------------------------------------

Ben Greenbaum
Director of Site Content
SecurityFocus
http://www.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]