On Wed, 31 Jan 2001, Theo de Raadt wrote:
> What does the community think of this change in direction?
>
> (Myself, I think it is a terrible idea to charge money for security
> information access, and that closing BIND up like this is also going
> to be harmful)
Ok, just some comments that I haven't seen made anywhere else (If I'm
wrong in this, please accept apologies - I just think they should be
made, and a reasonably diligent search has not found them)
<snip included message from Paul Vixie. We've all seen it already>
Right. I can see both good and bad interpretations of this, but there are
some key facts that would make life on the internet that bit more
unpleasant for a lot of us.
Good points:
Well, the overall effect of the strategy, leaving ideology outside
the consideration, is to make the process of BIND bugs a lot more like
what happens to regular companies software - report a bug, and make it
public if it's not fixed within a reasonable period. I know this is
roughly the case already, but what is being talked of is a much more
formal way of doing this...
In this, I can't fault the idea. The root servers are *important*,
and a certain amount more effort put into protecting them than any old
server is perfectly valid.
Bad points:
This is more in the way of *results* of the suggestion that I can
see plausible - again, leaving the ideology out of the question.
The scenario described is something like this, I believe:
1) <person> reports a bug to <list member> (where person may or
may not be a list member)
2) <list members> prepare a patch
3) <list members> repair their servers
4) patch is released to the world, with appropriate information.
Now. Between (2) and (3) (inclusive) , the list members *CANNOT*
distribute any notice whatsoever of the patch existing. Binary patches are
insufficient, and can be compared against existing binaries to provide
tips on where the hole is. Source patches will highlight the problem.
The NDA will mean such hints cannot be dropped.
But the list members will not allow the patch to be distributed
until *all* their servers are safe. This increases the time an exploit is
wild, to the detriment of the entire internet community. The larger the
list, the larger the portion of the net that will be as safe as it would
be under the *current* system. But, the larger the list, the longer it
will take to organise a changeover - and if list members are paying for
subscriptions, they will want those subscriptions to mean patches are not
released without their OK. A longer period when the internet is
susceptible to such widespread cracking is a Bad Thing.
Secondly, as evidenced by a similar thread on Bugtraq currently,
bind can be fingerprinte - and it is current practice to avoid obfuscating
the version number. If people can read the version number of *any* list
member's server, they can see when an upgrade happened. If the rest of the
world doesn't know about that upgrade, then you can be pretty sure there's
a big exploit coming down the wire. And I don't know about you, but if *I*
were presented that information, about *my* servers, I would be getting
highly worried about who might be cracking my box. If I were interested in
cracking other people's boxes, I'd monitor version numbers too - if I
*know* there's an exploit in general, finding it can be easier.
Lastly... legality. IANAL, but does anyone with a little legal
experience know what position somebody contracted to keep a set of servers
for which non-list members have access to secure would be in, signing an
NDA which forbids him/her from patching those servers because other people
might see them?
Anyway, just some thoughts to throw into the discussion. I'm not sure
which way I'd go, given the choice - although I think the proposal could
do with a good few changes. Strictly, it's not my business, since I don't
admin a DNS server right this minute... but for all I know, that could
change within the week.
--
d=(1 0 6 0 1 0 5 5 41 5 3 12 4 5 15 1 4 -2 5 5 0 5 4 24 3 5 27 1 3 -2 1 3 6)
a=0;f(){ c=$a;((v=c+3));((x=${d[${d[$a]}]}- ${d[${d[$a+1]}]}));d[${d[$a]}]=$x;(\
(a=((${d[${d[$a]}]})<0)?${d[$a+2]}:$v));case $a in -1)read d[${d[$c]}];a=$v;;-2\
)echo ${d[${d[$c+1]}]};a=$v;;0)exit;;esac;f;};f 2>&- # Charles Cooke, sysadmin
