"Juergen P. Meier" <jpmCLASS.DE> writes:

> Ah, here i think you (and the ISC) overlooked something:
> Although i believe the probability of having a blackhat among
> the root-nameserver maintainers is close to zero, i am convinced
> that the probability of blackhats among all those people who would
> recieve such a closed-reciepent-list security-bulletin among the
> big vendors (IBM, Sun, HP and them linux distributors) is much
> closer to one.

s/much closer to//

I can't be the only person on BugTraq to have worked at one of the
above mentioned vendors. There *are* idiots working there; no hiring
process is, or can be, perfect.

Some of these *will* get access to the info. Some of those *will* be
blackhats, blackhat wannabes, or friends with the above. The
information *will* get out.

Just not to those of us who don't want our servers rooted.

The only way I could see to prevent that would be to limit the info to
one or two people per vendor, and that would kinda defeat the purpose,
I think, because I'm not sure that's enough people to get a head start
on patches.

Now, ISC may have taken this into account. I'm not *dead* set against
the idea yet, but I'm *extremely* skeptical. On the other hand, Paul
Vixie & co are some very smart, very experienced people, and I don't
subscribe to the conspiracy theories spouted by some people on the
list.

I'm willing to be convinced, but I haven't seen Paul & co address this
yet.

Shalon Wood

--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]