On Fri, 2 Feb 2001, Shalon Wood wrote:
> So, my question to Paul and company is: Why *should* anyone other than
> critical infrastructure get that notice? I'm willing to be convinced;
> I just haven't seen an answer to this question yet. And note that
> 'They bitched and screamed because we didn't notify them this time'
> isn't a good enough reason.
>
It's awfully convienient to upgrade BIND via an RPM, PKG file, etc..
I'm a big fan of the up2date service w/Redhat and the windowsupdate.
microsoft.com website that lets people who don't know what they are doing
patch themselves.
Of course, lists like Bugtraq have never been about keeping the masses
safe, but rather keeping those who are willing to pay attention and who
can fend for themselves, safe.
I also feel that I should point out that this has been tried before. A
couple of years ago, Microsoft had identified a bug on their own, and
released an advisory stating that they were only going to release the info
to those who "needed" it. In that case, it was a professional
organization of remote vulnerability scanner vendors. I believe Elias
forwarded the exploit to Bugtraq the next day.
Ryan
