Re: Security information for dollars?
From: Peter Jeremy [EMAIL PROTECTED] What does the community think of this change in direction? Given the importance of BIND to the Internet, I can see the benefits in having a closed group to handle security-related issues. As long as the membership is intended to provide a forum where security problems can be diagnosed and corrected without premature disclosure, it would seem to be a good idea. That's the plan. If the intent is to provide a closed group with access to an `enhanced' BIND (and I don't believe it is), then I would be opposed to it. That's NOT the plan. Overall, I have no problems with the creation of a "bind-members" group as long as: - The 'free' Unices (*BSD, various Linux distributions) are not (effectively) prevented from participating by requiring more than a nominal membership fee or other impediments. That's the plan. - BIND source code remains freely available (at least for RELEASE and maybe BETA versions). That's the plan. - Membership benefits do not include access to enhancements that are not publicly available That's the plan. - Security fixes and announcements are made publicly available in a timely manner. That's the plan. (Same as now: via CERT). - The NDA requirements only cover details of bugs prior to their public announcement. Once a fix has been publicly announced, members are free to discuss the details of the problem. That's the plan.
Re: Security information for dollars?
At 07:06 AM 2/2/01 -0600, Shalon Wood wrote: Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some people should get early notice. Quite frankly, I can see a *very* strong argument in favor of the root servers, CCTLD, c operators getting advance Sure, but how will they actually get early notice? Unless ISC _pays_ people who announce security issues to the closed list exclusively, I don't see how it's really going to work significantly better. Why announce to the closed list, vs Bugtraq? So how about: The listeners pay. The bug announcers get paid. ISC gets what's left. The more bugs the less ISC gets. One way to cut costs would be to pay using fancy cheques (stating what exploit it's for) which would be more likely to be framed up than cashed. ;). Cheerio, Link.
Re: Security information for dollars?
Ben Greenbaum wrote: As I expected, there has been a flood of responses to the news about ISC's plan for a bind-members program. Rather than approve each, I have summarized many of them here. Personally, from what I'm seeing in these responses, a lot of people are jumping to conclusions, and trying to make this a much bigger issue than it really is. I get the feeling people saw "members only" and "fee-based", and immediately assumed -everything- was changing. But it's not. Some key points: 1) Nowhere in the announcement did it say that they intend to close up any existing mailing lists, nor did it say anything about making the existing source tarballs no longer available. All of that is going to stay the same as it is currently. 2) Nowhere in the announcement did it say that they would not continue to provide general security announcements and product releases to the community at large. 3) The "members only" early notification list is already something that is done on an ad-hoc basis. ISC developers knew about the bugs when they were first notified about it. They worked on fixes for them, and got releases ready to go. They also notified key vendors that a security hole existed and that the updates were on the way. (The FreeBSD security officer said they were notified sometime last week, days before the releases were available and the CERT announcement was made.) This is just a formalization of that process. 4) As for the NDAs, I don't think that's a bad idea, given all of the above. As with all things it's difficult to form a totally valid opinion without all the facts in evidence, but to me it looks much more like this: "We will give you early access to information about pending releases and security announcements so that you can get your products updated and releases ready for your customers. In return, we will require you to keep this early information to yourself until we make our official public announcement." I know there are different opinions on the issue of full/immediate disclosure vs. delayed disclosure and giving a vendor a chance to get fixes ready, and -that- issue will never reach a point where everybody agrees. But really, the ISC announcement is just making the "delayed disclosure to allow fixes to be ready" issue a bit more formalized, and the NDA allows them to "safely" extend it to cover not just ISC, but the vendors that depend on ISC for their own products. 5) Fees. This is probably the most questionable of things, but unless the fees are sky-high, I don't think it's totally unreasonable. A more formalized structure, with extra benefits such as security training and such, virtually requires cash to be able to run efficiently. And the fee exception for non-profits is a good compromise, too. It really isn't that drastic of a change, people. Nothing that you currently have is going to change or go away. They're just adding a new service and channel of information for certain classes of entities. I don't think that's bad at all. And frankly, I like the idea of formalizing the process, and letting vendors who use BIND get product updates and their own security announcements ready to go all at once, so that when the "big" public announcement is made, patches and such are fully ready to go.
Re: Security information for dollars?
On Wed, 31 Jan 2001, Theo de Raadt wrote:
What does the community think of this change in direction?
(Myself, I think it is a terrible idea to charge money for security
information access, and that closing BIND up like this is also going
to be harmful)
Ok, just some comments that I haven't seen made anywhere else (If I'm
wrong in this, please accept apologies - I just think they should be
made, and a reasonably diligent search has not found them)
snip included message from Paul Vixie. We've all seen it already
Right. I can see both good and bad interpretations of this, but there are
some key facts that would make life on the internet that bit more
unpleasant for a lot of us.
Good points:
Well, the overall effect of the strategy, leaving ideology outside
the consideration, is to make the process of BIND bugs a lot more like
what happens to regular companies software - report a bug, and make it
public if it's not fixed within a reasonable period. I know this is
roughly the case already, but what is being talked of is a much more
formal way of doing this...
In this, I can't fault the idea. The root servers are *important*,
and a certain amount more effort put into protecting them than any old
server is perfectly valid.
Bad points:
This is more in the way of *results* of the suggestion that I can
see plausible - again, leaving the ideology out of the question.
The scenario described is something like this, I believe:
1) person reports a bug to list member (where person may or
may not be a list member)
2) list members prepare a patch
3) list members repair their servers
4) patch is released to the world, with appropriate information.
Now. Between (2) and (3) (inclusive) , the list members *CANNOT*
distribute any notice whatsoever of the patch existing. Binary patches are
insufficient, and can be compared against existing binaries to provide
tips on where the hole is. Source patches will highlight the problem.
The NDA will mean such hints cannot be dropped.
But the list members will not allow the patch to be distributed
until *all* their servers are safe. This increases the time an exploit is
wild, to the detriment of the entire internet community. The larger the
list, the larger the portion of the net that will be as safe as it would
be under the *current* system. But, the larger the list, the longer it
will take to organise a changeover - and if list members are paying for
subscriptions, they will want those subscriptions to mean patches are not
released without their OK. A longer period when the internet is
susceptible to such widespread cracking is a Bad Thing.
Secondly, as evidenced by a similar thread on Bugtraq currently,
bind can be fingerprinte - and it is current practice to avoid obfuscating
the version number. If people can read the version number of *any* list
member's server, they can see when an upgrade happened. If the rest of the
world doesn't know about that upgrade, then you can be pretty sure there's
a big exploit coming down the wire. And I don't know about you, but if *I*
were presented that information, about *my* servers, I would be getting
highly worried about who might be cracking my box. If I were interested in
cracking other people's boxes, I'd monitor version numbers too - if I
*know* there's an exploit in general, finding it can be easier.
Lastly... legality. IANAL, but does anyone with a little legal
experience know what position somebody contracted to keep a set of servers
for which non-list members have access to secure would be in, signing an
NDA which forbids him/her from patching those servers because other people
might see them?
Anyway, just some thoughts to throw into the discussion. I'm not sure
which way I'd go, given the choice - although I think the proposal could
do with a good few changes. Strictly, it's not my business, since I don't
admin a DNS server right this minute... but for all I know, that could
change within the week.
--
d=(1 0 6 0 1 0 5 5 41 5 3 12 4 5 15 1 4 -2 5 5 0 5 4 24 3 5 27 1 3 -2 1 3 6)
a=0;f(){ c=$a;((v=c+3));((x=${d[${d[$a]}]}- ${d[${d[$a+1]}]}));d[${d[$a]}]=$x;(\
(a=((${d[${d[$a]}]})0)?${d[$a+2]}:$v));case $a in -1)read d[${d[$c]}];a=$v;;-2\
)echo ${d[${d[$c+1]}]};a=$v;;0)exit;;esac;f;};f 2- # Charles Cooke, sysadmin
Re: Security information for dollars?
It would be interesting to see how many of the bugs in BIND have been found by Whitehats and how many have been found by Blackhats. Any bug that has been found by a Blackhat should be made public instantly, because by the time Whitehats find out about the bug, it is already being used. IMHO, all bugs should be released disclosed ASAP, and waiting for some vendor to fix their version is just plain wrong. 1. My Company runs Company A's BIND implementation. 2. A bug is found that affects all versions of BIND. 3. BMF notify their members, and give them 2 weeks to fix before the annoucement. 4. Company A fix their implementation immediately, but can't make an announcement because of BMF rules. 5. I know nothing about the bug so do nothing. 6. My Company gets hacked using an exploit for the bug. 7. We spend lots of time recovering from the hack. 8. BMF finally give the ok for the announcements. 9. My Company installs the fixed version that was "available" before we got hacked. 10. In the tradition of the good old USA we start a class action law suit and sue the pants off of the BMF, Members, and the ISC. Drew. One - just ONE - of the features suggested - only suggested - for the BIND Members Forum (BMF) is that members get advance warning of security problems. This is not unreasonable given that members are likely to be folks running root, gTLD and ccTLD name servers or vendors who have to prepare and ship security patches to their customers. Or do you think that critical Internet infrastructure should just take their chances that the script kiddies don't get to them first? Another membership constituency are the companies who build products on top of BIND. They need time to incorporate any security fix too. Many of them were taken by surprise by Monday's announcement.
Re: Security information for dollars?
Michael Bryan wrote: I get the feeling people saw "members only" and "fee-based", and immediately assumed -everything- was changing. But it's not. In discussions with my colleagues, the concern isn't that "everything is changing"... the concern is the "slippery slope". - Arf, JT -- "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Unix, Networking and ISP Consulting [EMAIL PROTECTED] FurryMUCK (muck.furry.org ): S'A'Alis MSTie# 21756
Re: Security information for dollars?
Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some people should get early notice. Quite frankly, I can see a *very* strong argument in favor of the root servers, CCTLD, c operators getting advance notice. I can't think of *any* good reason for anyone else to get it. Sun, HP, IBM -- none of those are critical infrastructure. So, my question to Paul and company is: Why *should* anyone other than critical infrastructure get that notice? I'm willing to be convinced; I just haven't seen an answer to this question yet. And note that 'They bitched and screamed because we didn't notify them this time' isn't a good enough reason. Shalon Wood --
Re: Security information for dollars?
1. Inform the BIND developers. They will privately handle the issue, create some sort of patch or update and then send out a notification so that people know they need to upgrade. A day or so later the exploit for the problem can go public and everybody's happy. This is probably the way most people on this list would like things to be. Now, could someone explain to me why a select list of individuals should get an earlier warning? Where, given the above options (and include more if you think there are any), is there a real advantage in having a select few be aware of the problem in order to whip out a fix? I suspect what is going on is that this select group of people is getting counted among the developers for scenarios like the first ideal you suggest. Only instead of contributing code (not to say they won't contribute code) they pay (or are included because they run root nameservers). I don't expect disclosure would be delayed for any of their sake, they just get to start packaging (or applying in the case of root and TLD nameservers) the fixes as soon as they hit the CVS tree instead of as soon as they hit the mailing lists. Basically, I think those of us in the rest of the world (i.e. not the ISC or distributors) aren't going to see any difference apart from our vendors providing update packages a few hours earlier. Kris Coward
Re: Security information for dollars?
On Fri, 2 Feb 2001, Shalon Wood wrote: Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some people should get early notice. ... So, my question to Paul and company is: Why *should* anyone other than critical infrastructure get that notice? It certainly appears to me that the ultimate answer to this might turn out to be, "Because they are likely to cough up the money for it." And who, exactly, believes that once these companies *do* cough up some bucks for whatever fuzzy benefit they might start out getting, that they won't fight tooth and nail to keep any such benefits from being given back to non-paying people, no matter how important they might be? Or worse yet, to expand the gap between the information that non-members have vs. paying members. Competitive advantage is a VERY big deal to these people, even small ones. That, after all, not a big-hearted, humane concern for individual users' well-being, is what will prompt them to pay-for-play under a system like ISC is proposing. Or am I just being cynical? -- Ryan Waldron||| http://www.erebor.com|||[EMAIL PROTECTED] "The web goes ever, ever on, down from the site where it began..."
Re: Security information for dollars?
Shalon Wood wrote: Cooper [EMAIL PROTECTED] writes: Now, could someone explain to me why a select list of individuals should get an earlier warning? I think this is the crux of the matter. Before you can say that this is a good idea, you first have to show that some people should get early notice. Quite frankly, I can see a *very* strong argument in favor of the root servers, CCTLD, c operators getting advance notice. I can't think of *any* good reason for anyone else to get it. Sun, HP, IBM -- none of those are critical infrastructure. So, my question to Paul and company is: Why *should* anyone other than critical infrastructure get that notice? I'm willing to be convinced; I just haven't seen an answer to this question yet. And note that 'They bitched and screamed because we didn't notify them this time' isn't a good enough reason. I think this is a start on the slippery slope others have mentioned. Critical infrastructure to you may be the root servers and ISPs. OK, uu.net may be part of the critical infrastructure; how about mylittle.net? To somebody else it may include banks and brokers; since we started on financial institutions, why not include Amazon and Ebay? How about the DoE national labs with nuclear design information? And if you accept those, the key DoD installations that control the weapons are probably key, but how do you know Fort Knot-on-a-Log, run by E-2's that have some weird friends, isn't "key?" (Oh, by the way, my internet access is critical infrastructure, at least to me. Your access probably isn't critical. ;) Sun, HP, IBM that you mention, as well as BSD and some of the Linux vendors, may test and/or patch the bind they distribute to their customers, which include many of the "key" players above -- including ISPs. If you don't allow these vendors access, the work won't get done before the news breaks. And then you get down to the debian maintainers; volunteers. How do you know whether I'm a cracker or a maintainer? You want to deny access to one, and invite the other to access early patch information. I think the argument you present boils down to "critical infrastructure gets advance notice to defend against exploits." What isn't clear is (a) that all or most of the critical infrastructure can afford to, or will, pay for early access; (b) that "money talks" won't overpower "critical infrastructure"; (c) that, given wide enough access to allow critical infrastructure to protect itself, enough information to exploit a newly-discovered hole won't leak anyway; and (d) exactly where in the spectrum outlined above ISC will draw the line. It also isn't clear to me that the rest of us will be any better protected. What assurance do I have that I'm not left vulnerable for another week when my vendor is prevented by the NDA from distributing a patch because some other vendor hasn't finished theirs? Pat ___ If my company has any ideas, it can tell you. The above opinions are all mine.
Re: Security information for dollars?
On Fri, 2 Feb 2001, Shalon Wood wrote: So, my question to Paul and company is: Why *should* anyone other than critical infrastructure get that notice? I'm willing to be convinced; I just haven't seen an answer to this question yet. And note that 'They bitched and screamed because we didn't notify them this time' isn't a good enough reason. It's awfully convienient to upgrade BIND via an RPM, PKG file, etc.. I'm a big fan of the up2date service w/Redhat and the windowsupdate. microsoft.com website that lets people who don't know what they are doing patch themselves. Of course, lists like Bugtraq have never been about keeping the masses safe, but rather keeping those who are willing to pay attention and who can fend for themselves, safe. I also feel that I should point out that this has been tried before. A couple of years ago, Microsoft had identified a bug on their own, and released an advisory stating that they were only going to release the info to those who "needed" it. In that case, it was a professional organization of remote vulnerability scanner vendors. I believe Elias forwarded the exploit to Bugtraq the next day. Ryan
Re: Security information for dollars?
"Theo" == Theo de Raadt [EMAIL PROTECTED] writes: Theo What does the community think of this change in direction? What "change in direction"? Theo (Myself, I think it is a terrible idea to charge money for Theo security information access, and that closing BIND up like Theo this is also going to be harmful) Please re-read Paul Vixie's announcement. Nobody's suggesting BIND will get "closed up", apart from a few misguided people who have jumped to wrong/absurd conclusions without having all the facts at their disposal. Probably Paul is the only one who has those facts, though I believe I'm close enough to the action to know most of them. I speak here only for myself, not my employer (Nominum) or as a mouthpiece for the ISC or Paul Vixie (which I'm definitely not). One - just ONE - of the features suggested - only suggested - for the BIND Members Forum (BMF) is that members get advance warning of security problems. This is not unreasonable given that members are likely to be folks running root, gTLD and ccTLD name servers or vendors who have to prepare and ship security patches to their customers. Or do you think that critical Internet infrastructure should just take their chances that the script kiddies don't get to them first? Another membership constituency are the companies who build products on top of BIND. They need time to incorporate any security fix too. Many of them were taken by surprise by Monday's announcement. Other benefits that have been suggested for the proposed BMF are: access to the CVS archives; in-person meetings (presumably to discuss new features/requirements for the software or perhaps workshops on the internals or contact with the developers); a mailing list. Where's the harm in that? I agree that Paul's announcement of the BNF could have been worded better. [Hindsight is a wonderful thing.] But people should calm down. Some of the claims that have been made are just ridiculous: like BIND would no longer be open source. The BNF is simply a way for the ISC to broaden its source of funds, get input from people who are serious BIND users and co-ordinate the future development of BIND. It's nothing more sinister than that.
Re: Security information for dollars?
This won't help anything other than giving the organizations with more money/resources an advantage over others. IMHO, if you want to stomp out the problem, you need to disseminate it far and wide (along with the solution), which will render the hole useless to those that would exploit it. that's an important viewpoint and i thank you for airing it. However, decisions like these may lead to alternatives to BIND (some of which may work much better) - - so if they want to run themselves out of business, falling victim to people that understand the need for full-disclosure.. *shrug* i am amazed at the continuous supply of dupes who are willing to believe the kinds of factual errors promulgated by posts like theo's. he said: What does the community think of this change in direction? it's not a change in direction, as explained separately. (there is no plan to stop doing what isc has always done, which is work with cert to propagate security information to the public in responsible ways. but, isc also needs direct relationships to the vendors involved. this is it.)
Re: Security information for dollars?
As I expected, there has been a flood of responses to the news about ISC's plan for a bind-members program. Rather than approve each, I have summarized many of them here. I realize that this is an emotional issue for many, but please remember that posts consisting of the entire original message with the addition of "Yeah, this sucks!" or the like will not be approved, so please don't bother :) - From: [EMAIL PROTECTED] (Andrew Church) I think it's a good excuse to get back to work on the DNS server I was working on when I was at university... On a more serious note, while I think this is a stupid idea, I'm not actually sure it will have much effect given the existence of Bugtraq; ISC can't stop outsiders from releasing advisories and such. The one thing I could see it doing would be shaking confidence and trust in BIND and its developers. Heck, even Microsoft publishes security reports; if ISC can't, does that mean they maybe have something to hide? Then again, another question is how many interested parties would be willing to sign the "strong NDA" the message calls for... --- From: Joshua Fritsch [EMAIL PROTECTED] [ Blatantly obvious statement follows since it seems some people need a reminder ] This won't help anything other than giving the organizations with more money/resources an advantage over others. IMHO, if you want to stomp out the problem, you need to disseminate it far and wide (along with the solution), which will render the hole useless to those that would exploit it. However, decisions like these may lead to alternatives to BIND (some of which may work much better) - - so if they want to run themselves out of business, falling victim to people that understand the need for full-disclosure.. *shrug* -- From: Robert van der Meulen [EMAIL PROTECTED] 1. Not-for-profit members can have their fees waived This helps distributers of Free software, but closes it off for the rest. Bad. Independent security consultants/interested parties and developers whose company doesn't want to/can pay are denied information. 2. Use of PGP (or possibly S/MIME) will be mandatory Good. but it's open information, as far as i'm concerned ;) 3. Members will receive information security training Only trained members are allowed to talk? The next step might be (paid) certification for the right to read about your own system's security. 4. Members will sign strong nondisclosure agreements _BAD_. I'm allowed to read (if ofcourse, i'm a member, went trough the exam, did my rites, and offered my firstborn) about security stuff that implicates me, my ISP, and the internet in general - but i'm not allowed to share? If my ISP, or a party i have to semi-trust for security runs buggy software, i like to be able to tell them. What happens if one of the members starts an 'underground' fan-out ? exploits will be in the wild, but cannot be reported, fixed, or acknowledged publicly - apart from ISC-originating messages, ofcourse. The members will be bound on hands and feet, and will not be able to speak about what they learn and know. 1. Private access to the CVS pool where bind4, bind8 and bind9 live 2. Reception of early warnings of security or other important flaws 'early warnings' ?? This means that buggy, insecure bind versions can be running anywhere, and only the 'elite bind-members crew' is allowed to know? Sick. If you are a BIND vendor, root or TLD server operator, or other interested party, I urge you to seek management approval for entry into this forum, and then either contact, or have a responsible party contact, [EMAIL PROTECTED] I urge anyone with brains _not_ to participate. It probably won't do any good, as people will value the knowledge more than the fact that the setup sucks. If i was the rebellious type, i would try to get a public fan-out up-and-running as soon as possible (ofcourse implying nothing here, letting ISC mess up their own mess will probably work out for the best in the end, anyways) --- From: "Larry W. Cashdollar" [EMAIL PROTECTED] This means only system crackers and paying parties will be aware of security issues. How is this model going to benifit the internet as a whole and the security community? I rely on free information from lists like bugtraq and cert to keep my systems secure. I now have to pay for my own security? -- From: antirez [EMAIL PROTECTED] Yes, it sounds very terrible. Even worse BIND may be just the start, (an emblematic one). Anyway all we know that the major part of the security vulnerabilites are discovered by indipendent groups or individuals, that will post the new security problems discovered in publically accessible mailing lists like bugtraq, so I feel that this can't have a very
