----- Original Message -----
From: "Juergen P. Meier" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, February 03, 2001 4:51 AM
Subject: Re: Defending the (supposedly) indefensible...
>
[snip]
>
> Ah, here i think you (and the ISC) overlooked something:
> Although i believe the probability of having a blackhat among
> the root-nameserver maintainers is close to zero, i am convinced
> that the probability of blackhats among all those people who would
> recieve such a closed-reciepent-list security-bulletin among the
> big vendors (IBM, Sun, HP and them linux distributors) is much
> closer to one.
>
> I fear that if the ISC really does make this pre-announcement
> reality, we will have a Situation where the bad guys will get
> those security-warnings at the same time as the root-ns, TLD maintainers
> and vendors, and have even more time to develop and _use_ exploits
> before we even know that there is a hole.
Doesn't it seem axiomatic that if they would have the information
at_the_same_time as the TLD (under the proposed scenario), that they must
have it *now*? How would anything change in that case?
It's already been acknowledged here, by those in the know, that public
knowledge of holes lags four to five weeks behind the TLD's and vendors'
knowledge now. If the black hats are in that group that has advanced
warning under the proposed scenario, where they would have to pay *money* to
have that knowledge, then *surely* they are in that same group now, when
they don't pay anything?
It's seemed obvious to me since this announcement was made that *someone* or
*some group* has "infiltrated" the inner circle of ISC, and the purpose of
the new proposal is to force them out through cost prohibitive fees.
Otherwise, what would ISC gain from this? Paul Vixie has stated publicly
that nothing as it presently stands would change at all. The BMF would be
in addition to the existing arrangement.
The entire arrangement, the fees, the use of PGP, the requirement for
training, seems purposefully designed to exclude someone or some group that
already has advanced knowledge from being able to obtain that knowledge in
the future.
>
Paul Schmehl [EMAIL PROTECTED]
Supervisor, Support Services
University of Texas at Dallas
