On Fri, Feb 02, 2001 at 02:14:58PM -0500, Phil Scarr wrote:
> While there has been a lot of hyperbole strewn about on this topic, I
> figured I'd go out on a very long, slender limb and agree with the
> stated purpose of this new conspiracy/cabal/clique/whatever.

well, not that long - the ISC's arguments are quite valid, even if i
disagree with their plans.

> I agree that TLDs should have early access to security related issues.
> I can also make the same argument for vendors who ship bind as part of
> their offerings, especially OS vendors like Sun, HP and IBM.

What ever ISC does, those vital parts of the ineternet infrastructure
should always get those informations immediatly, with as little delay
as humanly and technically possible.

> While most people who read this list are quite happy to go to ISC and
> fetch the most recent code at the announcement of a bug, there are
> *literally millions* of people who rely on the vendor to ship them an
> updated version so they can pkgadd/swinstall/rpm it into place. They
> don't have the interest/skills/whatever necessary to maintain their own
> versions of utilities they get from their vendor. To them, named is
> *part of the OS*, not something you hack into place by typing
> make/configure/whatever.

sad but true.

> Is it fair to them to delay a timely response from their vendor (who
> are, by the nature of the size and scope of their operations, slower
> than glaciers at releasing fixes) when that vendor could (and should)
> have advance notice of a security flaw for which there are no known
> exploits in the real world? Sure, we can argue that vendors *should* be
> faster, but that doesn't get the work done.

Ah, here i think you (and the ISC) overlooked something:
Although i believe the probability of having a blackhat among
the root-nameserver maintainers is close to zero, i am convinced
that the probability of blackhats among all those people who would
recieve such a closed-reciepent-list security-bulletin among the
big vendors (IBM, Sun, HP and them linux distributors) is much
closer to one.

I fear that if the ISC really does make this pre-announcement
reality, we will have a Situation where the bad guys will get
those security-warnings at the same time as the root-ns, TLD maintainers
and vendors, and have even more time to develop and _use_ exploits
before we even know that there is a hole.

Well, it seems that "Obscurity != Security" does apply here too.

The ISC should take this into account, and weight it against
their arguments.

> Flame away!

love to ;)

> ;-)
>
> -Phil

juergen

--
Juergen P. Meier                        email: jpmclass.de

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]