[BIND] Proposal: Fee-based, closed membership [BIND] forum.
chris.brown at ctg.com
Thu Feb 1 09:19:23 EST 2001
I agree with the spirit of open source. I don't think this closed BIND forum
is going to do anything to diminish the open source movement. Here's my
thinking on why it is actually a good idea:
Paul Vixie is a smart guy, and he's been intrinsically involved in BIND and
the Internet longer than probably any of the people on this list. His intent is
not to close open discussions, and he's not making BIND closed source.
The code itself is still open for review by anyone who wants to spend the
time doing so. What he is doing is in essence providing a secure forum for
active developers and key players, and to a degree increasing trust among
them (the non-disclosure agreement).
Let's face it, as interested as I am in BIND, I haven't ever had a suggestion
for it's improvement that they were not already working on. And in point of
fact, I haven't looked at the code (with the exception of nsupdate.c) in
years. By excluding merely curious people like you and me from discussions
among the real developers, he's excluding many would-be miscreants as well.
That, I think, is the purpose.
The DNS infrastructure is the only service that if unavailable would make the
whole Internet unusable by the average person, because of it's necessarily
centralized structure. In the grand scheme of things, it doesn't matter if
someone can't look up www.momandpop.com because ns1.momandpop.com
is under attack. It _does_ matter than no one can look up anything in *.com,
*.net, and *.org because the root servers are under attack. I'd much rather
have the root servers secured, rather than be notified immediately of a
potential exploit. It is partially because of the globally centralized nature of
the service that this forum doesn't fall under "security through obscurity."
Christopher Brown, CISSP
Corporate Security Advisor
Computer Task Group (CTG)
chris.brown at ctg.com
>>> devnull at butcherfamily.com 02/01/01 04:31AM >>>
Oh boy, I don't like this at all!
This post just came in on [BUGTRAQ] about a proposed closed, fee-based
support and development forum for [BIND]. Sure, there have been some pretty
catastrophic events recently with [BIND} vulnerabilities and exploits, but
I don't think a closed, fee-based [BIND] forum is the way to go.
I can't see any advantages, and it is just silly to think that access
restrictions will make [BIND] any more secure.
In a way, this proposed orientation is essentially a variant of "security
by obscurity" by attempting to restrict access and involvement in the
development and refinement of [BIND] -=- something that is doomed to
failure, and quite possibly may spawn the development of an alienated
community of "outsiders" intent on finding more ways to break [BIND]!
devnull at butcherfamily.com
"For every complex problem, there is a solution
that is simple, neat and wrong."
-- Henry L. Mencken
devnull at Buffalo.com | NEMO ME IMPUNE LACESSIT
Date: Wed, 31 Jan 2001 18:02:48 -0700
Reply-To: Theo de Raadt <deraadt at CVS.OPENBSD.ORG>
Sender: Bugtraq List <BUGTRAQ at SECURITYFOCUS.COM>
From: Theo de Raadt <deraadt at CVS.OPENBSD.ORG>
Subject: Security information for dollars?
To: BUGTRAQ at SECURITYFOCUS.COM
What does the community think of this change in direction?
(Myself, I think it is a terrible idea to charge money for security
information access, and that closing BIND up like this is also going
to be harmful)
To: bind-announce at isc.org
Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
Date: Wed, 31 Jan 2001 09:36:02 -0800
From: Paul A Vixie <Paul_Vixie at isc.org>
X-Approved-By: Ruth.Anne.Ladue at nominum.com
X-original-sender: Paul_Vixie at ISC.Org
X-DCC-MAPS-Metrics: isrv3.isc.org 668; IP=0/633557 env_From=0/3494
From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453
ISC has historically depended upon the "bind-workers" mailing list, and
CERT advisories, to notify vendors of potential or actual security flaws
in its BIND package. Recent events have very clearly shown that there is
a need for a fee-based membership forum consisting only of:
1. ISC itself
2. Vendors who include BIND in their products
3. Root and TLD name server operators
4. Other qualified parties (at ISC's discretion)
Requirements of bind-members will be:
1. Not-for-profit members can have their fees waived
2. Use of PGP (or possibly S/MIME) will be mandatory
3. Members will receive information security training
4. Members will sign strong nondisclosure agreements
Features and benefits of "bind-members" status will include:
1. Private access to the CVS pool where bind4, bind8 and bind9 live
2. Reception of early warnings of security or other important flaws
3. Periodic in-person meetings, probably at IETF's conference sites
4. Participation on the bind-members mailing list
If you are a BIND vendor, root or TLD server operator, or other interested
party, I urge you to seek management approval for entry into this forum, and
then either contact, or have a responsible party contact, isc-info at isc.org.
More information about the nflug