Shalon Wood wrote:
> Cooper <[EMAIL PROTECTED]> writes:
> > Now, could someone explain to me why a select list of individuals should
> > get an earlier warning?
> I think this is the crux of the matter. Before you can say that this
> is a good idea, you first have to show that some people should get
> early notice. Quite frankly, I can see a *very* strong argument in
> favor of the root servers, CCTLD, &c operators getting advance
> notice. I can't think of *any* good reason for anyone else to get
> it. Sun, HP, IBM -- none of those are critical infrastructure.
> So, my question to Paul and company is: Why *should* anyone other than
> critical infrastructure get that notice? I'm willing to be convinced;
> I just haven't seen an answer to this question yet. And note that
> 'They bitched and screamed because we didn't notify them this time'
> isn't a good enough reason.
I think this is a start on the slippery slope others have mentioned.
Critical infrastructure to you may be the root servers and ISPs. OK,
uu.net may be part of the critical infrastructure; how about
mylittle.net? To somebody else it may include banks and brokers; since
we started on financial institutions, why not include Amazon and Ebay?
How about the DoE national labs with nuclear design information? And if
you accept those, the key DoD installations that control the weapons are
probably key, but how do you know Fort Knot-on-a-Log, run by E-2's that
have some weird friends, isn't "key?"
(Oh, by the way, my internet access is critical infrastructure, at least
to me. Your access probably isn't critical. ;)
Sun, HP, IBM that you mention, as well as BSD and some of the Linux
vendors, may test and/or patch the bind they distribute to their
customers, which include many of the "key" players above -- including
ISPs. If you don't allow these vendors access, the work won't get done
before the news breaks.
And then you get down to the debian maintainers; volunteers. How do you
know whether I'm a cracker or a maintainer? You want to deny access to
one, and invite the other to access early patch information.
I think the argument you present boils down to "critical infrastructure
gets advance notice to defend against exploits." What isn't clear is
(a) that all or most of the critical infrastructure can afford to, or
will, pay for early access; (b) that "money talks" won't overpower
"critical infrastructure"; (c) that, given wide enough access to allow
critical infrastructure to protect itself, enough information to exploit
a newly-discovered hole won't leak anyway; and (d) exactly where in the
spectrum outlined above ISC will draw the line.
It also isn't clear to me that the rest of us will be any better
protected. What assurance do I have that I'm not left vulnerable for
another week when my vendor is prevented by the NDA from distributing a
patch because some other vendor hasn't finished theirs?
If my company has any ideas, it can tell you. The above opinions are