When I first saw this, I thought the same as most others. However,
it's possible that this approach may have merit. If I found a hole
and could update the root servers before disclosure, I'd certainly
do it.

The more people you can inform without tipping off the black hats,
the better. I guess this is the reason for a fee-based membership
kind of thingy, to discourage black hats from finding out the details
as long as possible.

Of course, this relies on the members not snitching and the members
all being white hats, and falls apart if a black hat find an exploit
and mails it to bugtraq, but perhaps it's better than nothing.

Provided disclosure is made in a timely fashion, perhaps delayed
disclosure could have some advantages over immediate disclosure.
Is the open source community prepared to accept this might be the
case?

> As far as for-pay vulnerability lists for that single point of failure....
> Hmmm... do you mean that all it will cost me is a few bucks spent on a cabal
> membership and I can have a big head start on exploiting any new DNS bug and
> thereby facilitating 0wn1ng every host on internet before anyone has any chance
> to fix things or even know they're vulnerable(so that they can take _some_ sort
> of precaution if possible)? Cool, buy the entire internet all for one low, low,
> price.... where do I sign up? Oh that's right, I can't. I guess I just have to
> be content with "bind-members" owning all my machines... :-( BTW As an aside I
> think that if such a group ever actually forms, we'll likely see a backlash
> response of one of the most systemic, wide-spread, attacks against the whole
> DNS system ever seen, as they elevate themselves to the juiciest single hacker
> target in human history...

I can't buy this...the only credible alternative to delayed disclosure is
immediate disclosure, and I imagine the "cabal" in question has little interest
in 0wn1ng the 'net.

Currently, it seems to me that the cabal idea can at worst fail,
in which case it's no worse than no cabal.

The only thing we can do about BIND alternatives is write another
implementation. Hey, maybe we can get Wietse to write one :->

Bottom line: The ISC is responding to the fact that software has bugs,
and informing the community about them is a two-edged sword. Even
if DJBs implementation were in it's place, it's still conceivable that
a root bug may show up at some point.

The more I think about it, the less bothered I am.

Others have said:

> This means only system crackers and paying parties will be aware of
> security issues. How is this model going to benifit the internet as a
> whole and the security community? I rely on free information from lists
> like bugtraq and cert to keep my systems secure. I now have to pay for
> my own security?

I don't think so. As always, the vast majority of the internet finds
out about security holes *after* someone else. What the ISC appears
to be doing (IMHO) is saying:

        Look, if we find a hole, we're going to patch it on the
        root servers so you guys can continue to have this Internet
        thing work, then we'll alert vendors, and then you guys can
        either get the fix from us or from your vendor.

Note in this case the ISC did tell everyone, but (if I'm not mistaken) they
delayed the notice until after the root servers were patched, then
informed others that they should upgrade, then released the details
of the problem. Could it be that this helped most folks upgrade before
an exploit was crafted?

> Like Richard Stallman said: "When you sign a nondisclosure agreement, you
> are saying: 'I will screw fill-in-the-blank'". Why limit access to the code?
> It sounds counter productive (now when open source is finally being accepted
> by software companies).

If done properly, it may simply mean that members can't leak the info until
the root servers are patched.

> 6) Does "private access" to the CVS pool mean that the latest builds will
> essentially be closed-source?

This is a bit distressing, however. I don't see how closing off the CVS
for all but a few does any good.

Is there a site up with a full explanation of the reasoning behind the
forum? If so, perhaps it could quell the bad feelings somewhat...

Oh well, $.02 .

Flamiturus, te salutamus...

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfhcise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
         - Encryption: its use by criminals is far less -
         - frightening than its banishment by governments -
                      - Vote for Privacy -

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]