In response to the debate on bugtraq, people should read this...
If Paul hasn't already forwarded a copy there, that is...

> To: BIND-Members Forum Information:;
> Subject: FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM
> Date: Sat, 03 Feb 2001 22:32:01 -0800
> From: Paul A Vixie <Paul_Vixieisc.org>
> X-Approved-By: Paul_VixieISC.Org
> X-original-sender: Paul_VixieISC.Org
>
> FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM
>
> LICENSING:
>
> Q: Does this mean ISC's software will no longer be publically available?
> A: NO. ISC's software is published under a "BSD-style" license which allows
> full redistribution, in source or binary, embedded or not, modified or not,
> with or without fee. This has not changed, and will not change, ever.
>
> Q: Then are you effectively charging for access to patches which come out
> between major releases?
> A: NO. Patches will be distributed as before. In fact, all access to ISC's
> software will continue as before. The bind-members Forum adds a new class
> of access to ISC's personnel and sources, but subtracts nothing.
>
> Q: So the bind-members Forum programme does not restrict or delay any access
> to which the industry has become accustomed?
> A: Right.
>
> Q: You mean this whole thing is just to _add_ a new level of access for the
> organizations ISC considers critical to the Internet's infrastructure.
> A: Yes.
>
> FEES:
>
> Q: What is the fee structure associated with participation in the bind-members
> Forum?
> A: This is still under consideration. An announcement will follow. However,
> we anticipate a graduated fee schedule similar to the X Consortium's.
>
> Q: This whole thing smacks of a money-making scheme to enhance ISC.
> A: All fees collected under this programme will go to support ISC's mission,
> which since 1993 has been (from http://www.isc.org/):
> "The Internet Software Consortium (ISC) is a not-for-profit
> corporation dedicated to developing and maintaining production
> quality Open Source reference implementations of core Internet
> protocols."
> Anyone who feels that ISC spends money on things it shouldn't is welcome
> to approach any board member and share those concerns. See our web page
> (http://www.isc.org/ISC/bod.html) to learn who those board members are.
>
> Q: Has ISC decided to transform itself into a for-profit members-only club?
> A: NO. ISC's mission, and its not-for-profit status, has not changed.
>
> CERT:
>
> Q: Does this mean ISC and CERT are parting ways?
> A: Not at all. CERT has been ISC's partner in the discovery and publication
> of critical bugs in BIND and other software ever since ISC was founded,
> and ISC anticipates continuing this relationship in the foreseeable future.
>
> Q: Will vendors receive bind-members notice of new bugs before they receive
> notice from CERT?
> A: That will be up to CERT. If they decide that the bind-members Forum is an
> acceptable notification method then they may choose to depend on it for
> their own vendor notices concerning BIND bugs. In any case, ISC will notify
> CERT of any critical bugs we discover before bind-members hears about them.
>
> Q: It's been said that CERT is too conservative about bug notifications, and
> that by the time they publish their vulnerability notices, everybody pretty
> much already knows what's going to be in it.
> A: That has not been ISC's experience. In any case, ISC recognizes CERT as
> the industry's chosen agent for this type of notification, and recommends
> that anyone who is dissatisfied with CERT's policies discuss those policies
> directly with CERT.
>
> Q: What's the difference between what OS vendors heard directly from CERT
> before the bind-members Forum was created, and what they will hear now?
> A: In the past, OS vendors heard that there was a bug and that ISC would be
> releasing a patch to its latest releases, and if they needed any specific
> help they should contact ISC directly. The bind-members Forum was created
> to formalize and facilitate that contact.
>
> Q: What about critical bugs which are of no interest to CERT?
> A: It's likely that such bugs would be discussed on bind-workersisc.org, just
> as they have been for some years now.
>
> NONDISCLOSURE:
>
> Q: Why doesn't ISC just open its CVS repository to the world and let
> everyone find out about new bugs at the same time?
> A: Because some parts of the Internet's infrastructure are harder to upgrade
> than others, and ISC believes in coordinated announcements. If we opened
> our CVS repository then the "black hats" and "white hats" would learn of
> problems at the same instant. The "white hats" have more work to do
> (preparing customer notifications and patches, and in some cases burning
> CDROMs) than the "black hats" (just load the script-kiddieware and go).
>
> Q: What if the "black hats" release their notice before ISC or the "white hats"
> know what's going on?
> A: That happens sometimes. When it does, it's most unfortunate for the "white
> hats" and we catch up as quickly as we can. But if, as happens frequently,
> a critical bug is discovered during a source code audit, then ISC believes
> that it's in the best interests of the Internet infrastructure to get the
> patch into restricted distribution _before_ any general notices are sent.
>
> Q: What about customer responsibility? If a fee-paying participant in the
> bind-members Forum learns of a critical bug, aren't they contractually
> bound to tell their own customers about it no matter what NDA they signed?
> A: Every participant has to weigh that for themselves. It is expected that
> the period between the discovery and publication of a critical bug will be
> limited by practicality to a short few days, and that a prospective
> participant would see it as being in their customers' best interests to
> cooperate with such a delay.
>
> Q: If OS vendors are already hearing notice from CERT, then what will the
> bind-members Forum really change?
> A: Every participant in the bind-members Forum will undergo security training
> and will be required to learn and to use PGP or S/MIME when discussing
> things they learn from the bind-members Forum. They will also agree to
> avoid general internal discussion of things they learn from the Forum.
>
> Q: How will ISC enforce this NDA?
> A: By definition, undetected NDA violations are of no concern to anybody. If
> ISC detects a violation, then we reserve the right to terminate the
> violator's participation in the bind-members Forum.
>
> Q: Can you give an example of a possible violation of this NDA?
> A: Sending mail to ISC in clear text (that is, without any encryption) which
> includes or references information which was learned via the bind-members
> Forum and which has not been published elsewhere could be considered a
> violation of the NDA.
>
> Q: What if part of my organization qualifies (let's say we serve a TLD) and
> another part does not (let's say we serve a lot of non-TLD's) -- would we
> be required to segregate our zones and only upgrade the "qualified" server?
> A: No, you can run a single server if you want. But the person who upgrades
> that server will not be able to do so from an organization-wide source pool,
> or tell their coworkers what's being done, or why.
>
> Q: The proposed "bind-members Forum" system only obscures that a problem
> exists which means that far more systems would be compromised by people
> with bad intensions.
> A: That would be true if we were proposing any additional delay before the
> public (CERT-driven) announcement. We're not. This is just a change to
> the way early notice to vendors and operators of critical servers is done.
>
> QUALITY:
>
> Q: None of this would be necessary if BIND weren't so full of security holes!
> A: History has shown that most large projects have bugs, and that some of
> these bugs will be security related or otherwise critical. BIND has had
> its share of bugs, including critical ones. Because ISC lacks the hubris
> needed to announce that there will never be another security-related or
> otherwise critical bug in BIND, and because BIND is used on 90% of the
> world's name servers including the root and TLD servers, we are formalizing
> the way we will handle any future bugs which are found.
>
> Q: Other DNS software publishers promise 0 defects and even offer rewards.
> Why can't ISC seem to compete at the quality game?
> A: If someone else's DNS software ever runs on 80% of the Internet's name
> servers and is shipped in source form that can run on a dozen or more
> architectures, ISC will certainly feel that we have much to learn from
> the authors of that software.
>
> Q: What's the long term plan? Are you going to invest any of the fees from
> this project in some QA? (Ha ha ha.)
> A: We've spent more than $2.5M on BIND9, which is a complete rewrite, and which
> took a dozen senior or supersenior DNS software experts over two years to
> complete. BIND9 is our long term plan. Check it out at...
> http://www.isc.org/products/BIND/bind9.html
> ...especially if you like to read clean elegant modular auditable source.
>
> SERVER SELECTIVITY:
>
> Q: Don't root and TLD server operators already receive early notice of bugs?
> A: Root server operators do, since ISC operates a root name server and we
> therefore know how to securely notify the other root server operators.
> TLD server operators historically relied on public notifications from CERT.
> The bind-members Forum will provide a secure communications path for root
> and TLD server operators to learn about severe bugs early enough to complete
> their upgrades before those bugs are common knowledge.
>
> Q: Why are the root and TLD operators "special" in this way? Shouldn't all
> name server operators, regardless of what zones they handle, have access
> to the same information at the same time?
> A: Root and TLD servers enable the Internet to function. There is no resource
> that is more critical in the information age, except perhaps electric power.
> If any of these servers were ever to be nefariously corrupted, the impact
> could be felt for many years following.
>
> Q: I'm outraged to learn that root server operators and CERT's vendor contacts
> have been getting early notice of bugs and that you're now expanding this
> program to TLD server operators and forging even closer ties to the vendors.
> How long has this been going on?
> A: Since at least 1993 when ISC was first incorporated.
>
> Q: What about SLD's that are effectively regional TLD's, like COM.UK?
> A: If you run a server which, though an SLD, is "like .COM or .NET" but on
> a country-level basis rather than a worldwide basis, you probably qualify.
>
> Q: What about RiR's?
> A: If you operate a server for the first octet under IN-ADDR.ARPA, then you
> qualify for the bind-members Forum since those servers are considered by
> ISC to be part of the Internet's infrastructure.
>
> VENDOR SELECTIVITY:
>
> Q: Why should anybody have to pay ISC to receive critical bug notifications?
> A: They don't. These notifications will continue to come from CERT, who does
> not charge any fees for notices of vulnerabilities.
>
> Q: I mean, why should anybody have to pay ISC for the right to discuss these
> bugs with ISC and in some cases have private access to ISC's source pool?
> A: Because ISC is a not-for-profit corporation, and any programme of this kind
> must be financially self-supporting. ISC's costs will include legal fees,
> contract administration, release and software engineering, and system
> administration (CVS, mailing lists, etc).
>
> Q: So what happens if the participants of the bind-members Forum decide that
> they would rather notify their customers ONLY, and they try to block ISC
> and/or CERT from public disclosure, to try to gain competitive advantage?
> A: This seems unlikely, but if this were to come to pass, ISC would have no
> choice but to exercise its contractual right to terminate the bind-members
> Forum and we'd just go back to publishing patches in conjunction with CERT.
>
> MEMBER SELECTIVITY:
>
> Q: I'm an enterprise who uses BIND in production. Do I need to join the
> bind-members Forum?
> A: Not if you subscribe to the CERT mailing list. As an enterprise member,
> you would only be eligible for early notifications of critical bugs if
> you operate a root or TLD server. You can join, as a way to support the
> ISC in general and this programme in particular, and if you join then you
> will receive from ISC a copy of every BIND-related notice CERT sends out.
> But from a practical standpoint you could get the same thing by just
> subscribing to the CERT mailing list.
>
> Q: But my enterprise serves millions of customers worldwide, and a DNS outage
> which is due to an attack you could have helped us prevent would place ISC
> in absolutely grave liability for my losses.
> A: We appreciate your position, and we know that your vendors, and CERT,
> also understand the importance of getting enterprise-critical servers
> upgraded at the earliest practical moment. However, the root and TLD
> servers _will_ be done first, since without those, no other servers
> would be reachable at all.
>
> Q: I'm an *SP or registrar who uses BIND in production and I serve 100,000
> customer zones. Can I join the bind-members Forum and get early notice
> of critical bugs?
> A: Only if some of those 100,000 zones are TLD's or the root itself. See
> above. ISC would happily count you as an institutional member and send
> you copies of CERT's BIND-related advisories, but even with 100,000 zones
> you don't fit ISC's definition of "the Internet's infrastructure." Sorry.
>
> Q: I'm an *SP who uses BIND in production and I serve 1,000,000 customer
> zones, or a portal who uses BIND and has 1,000,000 or more distinct
> eyeballs per day, or a defaultless *SP doing business in 10 countries.
> What's my position with respect to bind-members Forum?
> A: You may qualify. Contact ISC.
>
> Q: I'm a research lab involved in intrusions and intrusion detection. Is
> there any benefit to participating in the bind-members Forum?
> A: Nope. CERT will fully disclose any critical bugs, and ISC's patches
> will be publically available. At ISC's discretion, an exemption can be
> made if you're one of the research labs who audits source code and helps
> to preserve the Internet's infrastructure by cooperating in restricted
> disclosure of what you find. Contact ISC.
>
> Q: I'm a software supplier and I include BIND in my product. Should I join?
> A: Almost certainly. ISC considers it essential that your customers be able
> to install a patch or new version on the same day CERT publishes its
> vulnerability notice. This means you will need a bit of a head start.
> However, you will have to agree to a strong NDA that prevents you from
> telling your supported customers about a problem until ISC gives the OK.
> This may be a conflict of interest for you, and we recommend that you have
> your lawyers look over the NDA when you get it.
>
> Q: I'm part of the U.S. DoD, FBI, or other security-related agency. What's
> my agency's eligibility?
> A: Absolutely certain, though perhaps indirectly though another agency.
>
> Q: This seems unfair. Why does ISC get to decide who gets early access?
> A: Because http://www.isc.org/ says...
> "The Internet Software Consortium (ISC) is a not-for-profit
> corporation dedicated to developing and maintaining production
> quality Open Source reference implementations of core Internet
> protocols."
> ...and we take that mission very seriously.
>
> SUPPORT
>
> Q: I'm a support customer of ISC. Does this entitle me to early access to
> critical bug notifications?
> A: Not directly, no. But if you qualify under some other provision (for
> example if you are also a TLD server operator) then your fees could be
> waived. Contact ISC.
>
> Q: I'm a support customer of a BIND vendor or ISC contractor. What about me?
> A: Your support vendor will likely participate in the bind-members Forum, and
> as such you would be notified of critical bugs as soon as ISC and CERT
> release the information, and it's likely that a patch would be installed
> or made available coincident with such public release.
>
> ACTION
>
> Q: OK, I'm interested and I think I qualify. What now?
> A: If you received this message directly, then you are already on a mailing
> list where subsequent notices will be sent, and you don't have to do
> anything at this time. If you received this message indirectly by
> "forwarding", then you should contact isc-infoisc.org and ask to be placed
> on either the bind-usersisc.org or bind-announceisc.org mailing list.
>
> REACTION
>
> Q: Why has there been such public outcry over this?
> A: We call it the "whisper down the lane" effect. Most of the folks who read
> the preannouncement notice for the bind-members Forum responded positively,
> and several who misunderstood it and sought clarification were satisfied.
> A vocal minority who misunderstood the announcement and/or disagreed with
> the intent have been able to inflame considerable, but often mistaken,
> public sentiment. With this FAQ we hope to dispel all such misconceptions.
>
> Q: If I still think this is a really bad idea, who should I complain to?
> A: isc-infoisc.org is ready at all times for any comments or questions.
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]