OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Phil Scarr (prscarrGREYMOUSER.COM)
Date: Fri Feb 02 2001 - 13:14:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Fri, Feb 02, 2001 at 07:06:23AM -0600, Shalon Wood (dstarPELE.CX) was heard to have said:
    > Cooper <CooperLINUXFAN.COM> writes:
    >
    > > Now, could someone explain to me why a select list of individuals should
    > > get an earlier warning?
    >
    > I think this is the crux of the matter. Before you can say that this
    > is a good idea, you first have to show that some people should get
    > early notice. Quite frankly, I can see a *very* strong argument in
    > favor of the root servers, CCTLD, &c operators getting advance
    > notice. I can't think of *any* good reason for anyone else to get
    > it. Sun, HP, IBM -- none of those are critical infrastructure.

    While there has been a lot of hyperbole strewn about on this topic, I
    figured I'd go out on a very long, slender limb and agree with the
    stated purpose of this new conspiracy/cabal/clique/whatever.

    I agree that TLDs should have early access to security related issues.
    I can also make the same argument for vendors who ship bind as part of
    their offerings, especially OS vendors like Sun, HP and IBM.

    While most people who read this list are quite happy to go to ISC and
    fetch the most recent code at the announcement of a bug, there are
    *literally millions* of people who rely on the vendor to ship them an
    updated version so they can pkgadd/swinstall/rpm it into place. They
    don't have the interest/skills/whatever necessary to maintain their own
    versions of utilities they get from their vendor. To them, named is
    *part of the OS*, not something you hack into place by typing
    make/configure/whatever.

    Is it fair to them to delay a timely response from their vendor (who
    are, by the nature of the size and scope of their operations, slower
    than glaciers at releasing fixes) when that vendor could (and should)
    have advance notice of a security flaw for which there are no known
    exploits in the real world? Sure, we can argue that vendors *should* be
    faster, but that doesn't get the work done.

    Flame away!

    ;-)

            -Phil 

    --
                                                     GREYMOUSER CONSULTING
              System, Network and Security Architecture and Administration
                          for Central Virginia (http://www.greymouser.com)
* S o l a r i s  *  H P - U X  *   L I N U X   *   W  i n d o w s   N T  *