On Mon, 12 Feb 2001, Martin wrote:
> I believe (like many others) that security through obscurity is not the
> proper method. I've lost track of the stories by people finding security
This however isn't obscurity, it's time-based release, a much different
animal.
> There shouldn't be a cloud. It should just be announced. If there IS
> such a group, though, the root server operators are the ones who
> definitely need to know - And paying for it is bull****.
There already is a cloud, root operators are already in the cloud, and
having a bar where commercial vendors have to pay to get into that
exclusive group doesn't seem overly high of a bar. "It should just be
announced" creates a significant number of victims with no real gain from
"released to a core group then the world" for most site operators.
> Yep. Basically, there are two real contenders for DNS server code: BIND
> and djbdns, so vendors are forced to either write something new and make
> it interoperate, or package BIND. Supposedly, djbdns has a prohibitive
> license, not that I've been able to find it to read it. (grep -i licens
> in the source dir turns up nothing. I may just be blind, or stupid. But
> shouldn't your license be as easy to locate as possible? Perhaps in the
> README (not there) or a file called LICENSE (nonexistent.)
Dan doesn't believe in software licenses anymore. He does want to control
distribution of his code, and while I wish he thought differently it's
obviously his right.
> Anyway, people want BIND. And giving away BIND for truly free would
> appear to be a goal of the ISC:
They are.
> But not the sale of software, or patches. Supposedly. It could be
Because it's not the sale of patches, any vendor who wants to wait for the
next CERT advisory is welcome to do so.
> that there ARE no buffer overflows etc - proactivity vs. reactivity. I
> doubt that charging some vendors some money is going to change their
> coding practice.
Since it's not scoped as anything but providing vendors enough time to fix
to update their products (akin to the sharing of samples amongst AV
researchers for instance) it's got nothing to do with their historically
bad coding practices other than the fact that they're a predicate.
> They don't make any commitment to notify the community of security holes
> as soon as they are found. This is, I think, a bad thing. It means that
The attacker community or the user community?
> you may very well have a false sense of security right now about the
> version of BIND you're running - unless you're running djbdns, in which
> case there's someone out there trying not to lose $500.
Anyone with a false sense of security about BIND doesn't need to worry
about Dan's $500. Funnily enough, the Net still seems to mostly work,
which is why the problem isn't addressed more aggressively.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
