PRE-ANNOUNCEMENT: BIND-Members Forum

Lawrence Chan webmaster at montevino.com
Sat Feb 3 08:55:15 UTC 2001 

Hello,

It would seem that this members forum thing is a quick and dirty short
term
solution by sacrificing timely and full disclosure for a patching over
of
what is basically a distribution problem (despite Paul's insistence that
it
isn't.)  All Bind users would suffer the same risk from bugs, discovered

either by ISC or by non-ISC entities.  When a bug is uncovered in the
wild,
full and immediate disclosure would give all users an equal chance to
act (at
worst to simply shut the servers down until help comes rather than
unwittingly propagating the infected cache or what have you.)  And by
playing
this "father knows best", the distribution problem won't go away and
would in
fact get worse with increase usage.

Lawrence Chan
lchan at montevino.com
__________________________________________________________________

Christine Tran wrote:

> >No, it's not.  No one is arguing that the vulnerabilities shouldn't
> >be disclosed and disclosed fully.  The question is when.
>
> A window where paying members get access to bugs & fixes while
> the rest of the hoi polloi waits doesn't sound like full disclosure
> to me, but call me crazy.
>
> >> Free software, free bug fix.
> >
> >Come again?  You seem to be arguing that because you don't
> >pay for the software, you're entitled to prompt notification of
> >bugs and timely patches.
>
> Umm, yes ... you've seen the Dilbert strip where management pays
> coders a buck for every bug found?  I am not in any remotely oblique
> way suggesting that anyone at Nominum or ISC went to the Dilbert
> School of Programming.  Lots of people run BIND because it's
> good AND free, but once they've commited to BIND, they'll discover
> a hidden security cost.  I realize ISC doesn't proactively invite
> people to use BIND, but it's rather unfair for folks who gravitate to
> BIND because they don't have the big money, who will be behind the
> security power curve for this same reason.  In Egypt it costs you
> nothing to ride a camel, but $10 USD to get off.  I think I'll have
> less problem if ISC charges up front.
>
> >Surely you can understand the need to patch critical pieces of
> >infrastructure such as the root, gTLD and ccTLD name servers
>
> I'm all for that.  I went back & reread Paul's original message and
> all the responses & rebuttals.  Still not convinced it's not a
disclosure
> issue.  Still not convinced the consortium will result in timely bug
> fix and no vulnerability leakage.  Someone mentioned that this is
> not different from current situation when CERT prewarns the vendors,
> so why change and introduce an undemocratic, discretionary fee-based
> system that fosters an atmosphere of exclusivity?  I won't belabour
the
> point, Cricket can have the last word. :)
>
> CT

More information about the bind-users mailing list