On Sat, 3 Feb 2001, Adam Rothschild wrote:
Why not just notify everyone at once? That way, when vulnerabilities are discovered, people can take whatever action they deem appropriate to protect their infrastructure (write/release their own set of BIND
It seems obvious, the goal is to get the root-servers upgraded and OS vendors notified so they can release patches/updates before holes become public knowledge. As someone else mentioned, some OS vendors have histories of taking an unreasonably long time to release updates for known vulnerabilities. If the main goal is simply to help the net continue to function, it might make sense to have a multi-tiered bind-members set of groups. BIND developers would be the first to know about things, since they maintain the code. Root-servers would be first to get security notifications/updates. Then OS vendors would be notified (since this is the level I expect most likely to cause information leaks). Perhaps then, after a predetermined period of time, the notification goes public, whether all the vendors have released updates or not. It seems we already have the beginnings of this system. The [currently known] holes in <8.2.3 were found and fixed. The root-servers all got upgraded. Then we got a message posted around midnight EST friday night on nanog (not bugtraq) with alot less detail than the average bugtraq post basically saying, "there's holes...you better upgrade". At that point, it's off to the races. You can bet people downloaded source for 8.2.3 and compared its code to previous versions looking for the holes. Did you upgrade before the first cracker found a hole and wrote an exploit? I think ISC is trying to avoid this scenario in the future, but it's unavoidable. Suppose things had gone differently. Instead of Vixie's post friday night, sometime the following week we see a post from someone (I guess it wouldn't be ISC if they plan to let CERT handle security announcements...but CERT generally doesn't move very fast...so it wouldn't be from them:) on bugtraq notifying us that new holes have been found, and listing the various vendors who have updates ready and their update instructions. At that point, we're pretty much back in the same situation as friday night / saturday morning except that the upgrade process is a little easier, much easier for the compiler challenged (or those unfortunate people running OS's where development tools cost extra). I think this is slightly preferable to what happened this time, as long as the time periods are kept short. The longer it takes for a security notification to go public, the more time we have for the information to leak to the cracker community where you can bet an exploit will be written and circulated. If you read this far, thanks. I didn't intend to ramble on so long. -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________