Reasons why BIND isn't being upgraded

Sun Feb 4 00:32:40 UTC 2001

> > The purpose of the list doesn't appear to circumvent Bugtraq -- you're
> > comparing two different issues.
> 
> I suggest you re-read the pre-announcement, and also factor in other
> statements made by Paul that the community will now be notified via CERT
> when security problems occur. CERT has historically been worthless in this
> regard(IMO). By the time they release warnings, the problems have been
> well known among the security and dark-hat communities for weeks, months
> or in extreme cases years. In all fairness I believe this has been
> due to the vendors being unwilling to release the information, rather than
> due to any fault of CERT staff. 

I'm no fan of CERT. Neither is Paul to my memory, but he can hardly
advocate Bugtraq to some of the communities in which he must play ball.

> In any case the result is the same: information is late in coming to
> anyone that relies on CERT for that information, exposing those
> individuals/organizations to a greater level of vunerability and risk than
> they would otherwise face. It's foolish to rely on CERT notifications as
> the most timely information one could acquire.

What exactly does Paul's list have to do with this? You're still confusing
a software update channel with a response center. He's not creating a
response center, and neither would I in his circumstances. He's creating
something that doesn't exist at this point, not taking anything away from
anyone.

All of us knew about severe bugs in BIND months, sometimes years before
CERT reported an exploit. Paul's list may get the right information into
the right hands sooner.

Your complaint seems to boil down to the fact that he's not building an
organization to replace CERT. As another small business owner, I can guess
that he's got enough on his hands. If you feel this burning need for this, 
do it yourself!  Stop confusing a support channel with a response center.

> Finally, I'm not sure what you'd call NDAs that would prevent disclosure
> of security problems, but I'd say that's about as opposite of Bugtraq as
> you can get.

echo "Stop confusing a support channel with a response center."  If I was
paying a software vendor for support, and they released information to the
public before they gave me a chance to upgrade my vulnerable systems, I
would hand them a lawsuit with a number you'd have trouble imagining. 

Thus, my software vendors better damn well have a closed-circuit channel to
get me information on vulnerabilities with enough time to upgrade my
software.

HP, Sun, IBM and everyone else has contracts with the government and
private institutions that require immediate access to this information. If
Paul were to simply report a vulnerability to the world with giving these
vendors a chance to produce patches for their customers, they would be 
forced to find another vendor for BIND.

You're applying an old rant about open access to vulnerability information 
in the wrong place. Vulnerabilities _do_ need to be published, but not
_before_ software vendors have a reasonable chance to update their software 
and produce patches!

Note: I'm not replying to anything else on this topic. People clearly
aren't thinking properly about this, and I'm not going to waste my time
arguing with illformed, biased 'religion' that has no place in the real
world.

-- 
Joe Rhett                                         Chief Technology Officer
JRhett at ISite.Net                                      ISite Services, Inc.

PGP keys and contact information:          http://www.noc.isite.net/Staff/