PRE-ANNOUNCEMENT: BIND-Members Forum

Larry Sheldon lsheldon at creighton.edu
Thu Feb 1 01:30:18 UTC 2001 

Mr. Conrad replied to me, saying:

> 
> Larry,
> 
> At 04:33 PM 1/31/2001 -0600, Larry Sheldon wrote:
> >This theme ("without also notifying everyone") recurs, and concerns me.
> 
> Pragmatically speaking, how would you propose ISC (or any company) notify 
> organizations that use their software for products or services of problems 
> with that software so that those organizations can create new releases of 
> that software before the exploits are written that take advantage of those 
> problems?

I hope I am not the first to publically say that this is a big problem for
which I know of no pat answer.  But I do know that more often than not, the
people to be protected by the use of secrecy, are in fact hurt by it.

I for one opt for sunshine in all dark places--I want to know that somebody's
code short-cut has put me and my customers at risk, and enough about the risk
to at least allow me to minimize as best I can the risk, or to quickly realize
what has happened to me when all else fails.

I do not welcome the prospect that my vendor might know about the problem
with my tires but has not for what ever reason chosen to share that information
with me so that I can as a minimum be prepare to recognize the catastrophic
failure when it comes--I am not assured that her interests (profits, costs,
reputation) are my interests.

> Or do you believe the appropriate solution to this problem is to tell 
> everyone at once and hope the product and service vendors are faster than 
> the exploit writers?

That will do for "patronizing" while we wait for somebody that is really good
at it to come along.

> Rgds,

Not much, I'd say.
--
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
.                                                                       .
- L. F. (Larry) Sheldon, Jr.                                            -
. Unix Systems and Network Administration                               .
- Creighton University Computer Center-Old Gym                          -
. 2500 California Plaza                                                 .
- Omaha, Nebraska, U.S.A.  68178       Two identifying characteristics  -
. lsheldon at creighton.edu                  of System Administrators:     .
- 402 280-2254 (work)                Infallibility, and the ability to  -
. 402 681-4726 (cellular)               learn from their mistakes.      .
- 402 332-4622 (residence)                                              -
. http://www.creighton.edu/~lsheldon    Adapted from Stephen Pinker     .
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

More information about the bind-users mailing list