6048005 2001-02-04 18:08 +1100 /333 rader/ Darren Reed <avalon@COOMBS.ANU.EDU.AU> Sänt av: joel@lysator.liu.se Importerad: 2001-02-05 04:19 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: avalon@COOMBS.ANU.EDU.AU Mottagare: Bugtraq (import) <15206> Markerad av 1 person. Ärende: FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM (fwd) ------------------------------------------------------------ From: Darren Reed <avalon@COOMBS.ANU.EDU.AU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200102040708.SAA11722@caligula.anu.edu.au> In response to the debate on bugtraq, people should read this... If Paul hasn't already forwarded a copy there, that is... > To: BIND-Members Forum Information:; > Subject: FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM > Date: Sat, 03 Feb 2001 22:32:01 -0800 > From: Paul A Vixie <Paul_Vixie@isc.org> > X-Approved-By: Paul_Vixie@ISC.Org > X-original-sender: Paul_Vixie@ISC.Org > > FREQUENTLY ASKED QUESTIONS ABOUT THE BIND-MEMBER FORUM > > LICENSING: > > Q: Does this mean ISC's software will no longer be publically available? > A: NO. ISC's software is published under a "BSD-style" license which allows > full redistribution, in source or binary, embedded or not, modified or not, > with or without fee. This has not changed, and will not change, ever. > > Q: Then are you effectively charging for access to patches which come out > between major releases? > A: NO. Patches will be distributed as before. In fact, all access to ISC's > software will continue as before. The bind-members Forum adds a new class > of access to ISC's personnel and sources, but subtracts nothing. > > Q: So the bind-members Forum programme does not restrict or delay any access > to which the industry has become accustomed? > A: Right. > > Q: You mean this whole thing is just to _add_ a new level of access for the > organizations ISC considers critical to the Internet's infrastructure. > A: Yes. > > FEES: > > Q: What is the fee structure associated with participation in the bind-members > Forum? > A: This is still under consideration. An announcement will follow. However, > we anticipate a graduated fee schedule similar to the X Consortium's. > > Q: This whole thing smacks of a money-making scheme to enhance ISC. > A: All fees collected under this programme will go to support ISC's mission, > which since 1993 has been (from http://www.isc.org/): > "The Internet Software Consortium (ISC) is a not-for-profit > corporation dedicated to developing and maintaining production > quality Open Source reference implementations of core Internet > protocols." > Anyone who feels that ISC spends money on things it shouldn't is welcome > to approach any board member and share those concerns. See our web page > (http://www.isc.org/ISC/bod.html) to learn who those board members are. > > Q: Has ISC decided to transform itself into a for-profit members-only club? > A: NO. ISC's mission, and its not-for-profit status, has not changed. > > CERT: > > Q: Does this mean ISC and CERT are parting ways? > A: Not at all. CERT has been ISC's partner in the discovery and publication > of critical bugs in BIND and other software ever since ISC was founded, > and ISC anticipates continuing this relationship in the foreseeable future. > > Q: Will vendors receive bind-members notice of new bugs before they receive > notice from CERT? > A: That will be up to CERT. If they decide that the bind-members Forum is an > acceptable notification method then they may choose to depend on it for > their own vendor notices concerning BIND bugs. In any case, ISC will notify > CERT of any critical bugs we discover before bind-members hears about them. > > Q: It's been said that CERT is too conservative about bug notifications, and > that by the time they publish their vulnerability notices, everybody pretty > much already knows what's going to be in it. > A: That has not been ISC's experience. In any case, ISC recognizes CERT as > the industry's chosen agent for this type of notification, and recommends > that anyone who is dissatisfied with CERT's policies discuss those policies > directly with CERT. > > Q: What's the difference between what OS vendors heard directly from CERT > before the bind-members Forum was created, and what they will hear now? > A: In the past, OS vendors heard that there was a bug and that ISC would be > releasing a patch to its latest releases, and if they needed any specific > help they should contact ISC directly. The bind-members Forum was created > to formalize and facilitate that contact. > > Q: What about critical bugs which are of no interest to CERT? > A: It's likely that such bugs would be discussed on bind-workers@isc.org, just > as they have been for some years now. > > NONDISCLOSURE: > > Q: Why doesn't ISC just open its CVS repository to the world and let > everyone find out about new bugs at the same time? > A: Because some parts of the Internet's infrastructure are harder to upgrade > than others, and ISC believes in coordinated announcements. If we opened > our CVS repository then the "black hats" and "white hats" would learn of > problems at the same instant. The "white hats" have more work to do > (preparing customer notifications and patches, and in some cases burning > CDROMs) than the "black hats" (just load the script-kiddieware and go). > > Q: What if the "black hats" release their notice before ISC or the "white hats" > know what's going on? > A: That happens sometimes. When it does, it's most unfortunate for the "white > hats" and we catch up as quickly as we can. But if, as happens frequently, > a critical bug is discovered during a source code audit, then ISC believes > that it's in the best interests of the Internet infrastructure to get the > patch into restricted distribution _before_ any general notices are sent. > > Q: What about customer responsibility? If a fee-paying participant in the > bind-members Forum learns of a critical bug, aren't they contractually > bound to tell their own customers about it no matter what NDA they signed? > A: Every participant has to weigh that for themselves. It is expected that > the period between the discovery and publication of a critical bug will be > limited by practicality to a short few days, and that a prospective > participant would see it as being in their customers' best interests to > cooperate with such a delay. > > Q: If OS vendors are already hearing notice from CERT, then what will the > bind-members Forum really change? > A: Every participant in the bind-members Forum will undergo security training > and will be required to learn and to use PGP or S/MIME when discussing > things they learn from the bind-members Forum. They will also agree to > avoid general internal discussion of things they learn from the Forum. > > Q: How will ISC enforce this NDA? > A: By definition, undetected NDA violations are of no concern to anybody. If > ISC detects a violation, then we reserve the right to terminate the > violator's participation in the bind-members Forum. > > Q: Can you give an example of a possible violation of this NDA? > A: Sending mail to ISC in clear text (that is, without any encryption) which > includes or references information which was learned via the bind-members > Forum and which has not been published elsewhere could be considered a > violation of the NDA. > > Q: What if part of my organization qualifies (let's say we serve a TLD) and > another part does not (let's say we serve a lot of non-TLD's) -- would we > be required to segregate our zones and only upgrade the "qualified" server? > A: No, you can run a single server if you want. But the person who upgrades > that server will not be able to do so from an organization-wide source pool, > or tell their coworkers what's being done, or why. > > Q: The proposed "bind-members Forum" system only obscures that a problem > exists which means that far more systems would be compromised by people > with bad intensions. > A: That would be true if we were proposing any additional delay before the > public (CERT-driven) announcement. We're not. This is just a change to > the way early notice to vendors and operators of critical servers is done. > > QUALITY: > > Q: None of this would be necessary if BIND weren't so full of security holes! > A: History has shown that most large projects have bugs, and that some of > these bugs will be security related or otherwise critical. BIND has had > its share of bugs, including critical ones. Because ISC lacks the hubris > needed to announce that there will never be another security-related or > otherwise critical bug in BIND, and because BIND is used on 90% of the > world's name servers including the root and TLD servers, we are formalizing > the way we will handle any future bugs which are found. > > Q: Other DNS software publishers promise 0 defects and even offer rewards. > Why can't ISC seem to compete at the quality game? > A: If someone else's DNS software ever runs on 80% of the Internet's name > servers and is shipped in source form that can run on a dozen or more > architectures, ISC will certainly feel that we have much to learn from > the authors of that software. > > Q: What's the long term plan? Are you going to invest any of the fees from > this project in some QA? (Ha ha ha.) > A: We've spent more than $2.5M on BIND9, which is a complete rewrite, and which > took a dozen senior or supersenior DNS software experts over two years to > complete. BIND9 is our long term plan. Check it out at... > http://www.isc.org/products/BIND/bind9.html > ...especially if you like to read clean elegant modular auditable source. > > SERVER SELECTIVITY: > > Q: Don't root and TLD server operators already receive early notice of bugs? > A: Root server operators do, since ISC operates a root name server and we > therefore know how to securely notify the other root server operators. > TLD server operators historically relied on public notifications from CERT. > The bind-members Forum will provide a secure communications path for root > and TLD server operators to learn about severe bugs early enough to complete > their upgrades before those bugs are common knowledge. > > Q: Why are the root and TLD operators "special" in this way? Shouldn't all > name server operators, regardless of what zones they handle, have access > to the same information at the same time? > A: Root and TLD servers enable the Internet to function. There is no resource > that is more critical in the information age, except perhaps electric power. > If any of these servers were ever to be nefariously corrupted, the impact > could be felt for many years following. > > Q: I'm outraged to learn that root server operators and CERT's vendor contacts > have been getting early notice of bugs and that you're now expanding this > program to TLD server operators and forging even closer ties to the vendors. > How long has this been going on? > A: Since at least 1993 when ISC was first incorporated. > > Q: What about SLD's that are effectively regional TLD's, like COM.UK? > A: If you run a server which, though an SLD, is "like .COM or .NET" but on > a country-level basis rather than a worldwide basis, you probably qualify. > > Q: What about RiR's? > A: If you operate a server for the first octet under IN-ADDR.ARPA, then you > qualify for the bind-members Forum since those servers are considered by > ISC to be part of the Internet's infrastructure. > > VENDOR SELECTIVITY: > > Q: Why should anybody have to pay ISC to receive critical bug notifications? > A: They don't. These notifications will continue to come from CERT, who does > not charge any fees for notices of vulnerabilities. > > Q: I mean, why should anybody have to pay ISC for the right to discuss these > bugs with ISC and in some cases have private access to ISC's source pool? > A: Because ISC is a not-for-profit corporation, and any programme of this kind > must be financially self-supporting. ISC's costs will include legal fees, > contract administration, release and software engineering, and system > administration (CVS, mailing lists, etc). > > Q: So what happens if the participants of the bind-members Forum decide that > they would rather notify their customers ONLY, and they try to block ISC > and/or CERT from public disclosure, to try to gain competitive advantage? > A: This seems unlikely, but if this were to come to pass, ISC would have no > choice but to exercise its contractual right to terminate the bind-members > Forum and we'd just go back to publishing patches in conjunction with CERT. > > MEMBER SELECTIVITY: > > Q: I'm an enterprise who uses BIND in production. Do I need to join the > bind-members Forum? > A: Not if you subscribe to the CERT mailing list. As an enterprise member, > you would only be eligible for early notifications of critical bugs if > you operate a root or TLD server. You can join, as a way to support the > ISC in general and this programme in particular, and if you join then you > will receive from ISC a copy of every BIND-related notice CERT sends out. > But from a practical standpoint you could get the same thing by just > subscribing to the CERT mailing list. > > Q: But my enterprise serves millions of customers worldwide, and a DNS outage > which is due to an attack you could have helped us prevent would place ISC > in absolutely grave liability for my losses. > A: We appreciate your position, and we know that your vendors, and CERT, > also understand the importance of getting enterprise-critical servers > upgraded at the earliest practical moment. However, the root and TLD > servers _will_ be done first, since without those, no other servers > would be reachable at all. > > Q: I'm an *SP or registrar who uses BIND in production and I serve 100,000 > customer zones. Can I join the bind-members Forum and get early notice > of critical bugs? > A: Only if some of those 100,000 zones are TLD's or the root itself. See > above. ISC would happily count you as an institutional member and send > you copies of CERT's BIND-related advisories, but even with 100,000 zones > you don't fit ISC's definition of "the Internet's infrastructure." Sorry. > > Q: I'm an *SP who uses BIND in production and I serve 1,000,000 customer > zones, or a portal who uses BIND and has 1,000,000 or more distinct > eyeballs per day, or a defaultless *SP doing business in 10 countries. > What's my position with respect to bind-members Forum? > A: You may qualify. Contact ISC. > > Q: I'm a research lab involved in intrusions and intrusion detection. Is > there any benefit to participating in the bind-members Forum? > A: Nope. CERT will fully disclose any critical bugs, and ISC's patches > will be publically available. At ISC's discretion, an exemption can be > made if you're one of the research labs who audits source code and helps > to preserve the Internet's infrastructure by cooperating in restricted > disclosure of what you find. Contact ISC. > > Q: I'm a software supplier and I include BIND in my product. Should I join? > A: Almost certainly. ISC considers it essential that your customers be able > to install a patch or new version on the same day CERT publishes its > vulnerability notice. This means you will need a bit of a head start. > However, you will have to agree to a strong NDA that prevents you from > telling your supported customers about a problem until ISC gives the OK. > This may be a conflict of interest for you, and we recommend that you have > your lawyers look over the NDA when you get it. > > Q: I'm part of the U.S. DoD, FBI, or other security-related agency. What's > my agency's eligibility? > A: Absolutely certain, though perhaps indirectly though another agency. > > Q: This seems unfair. Why does ISC get to decide who gets early access? > A: Because http://www.isc.org/ says... > "The Internet Software Consortium (ISC) is a not-for-profit > corporation dedicated to developing and maintaining production > quality Open Source reference implementations of core Internet > protocols." > ...and we take that mission very seriously. > > SUPPORT > > Q: I'm a support customer of ISC. Does this entitle me to early access to > critical bug notifications? > A: Not directly, no. But if you qualify under some other provision (for > example if you are also a TLD server operator) then your fees could be > waived. Contact ISC. > > Q: I'm a support customer of a BIND vendor or ISC contractor. What about me? > A: Your support vendor will likely participate in the bind-members Forum, and > as such you would be notified of critical bugs as soon as ISC and CERT > release the information, and it's likely that a patch would be installed > or made available coincident with such public release. > > ACTION > > Q: OK, I'm interested and I think I qualify. What now? > A: If you received this message directly, then you are already on a mailing > list where subsequent notices will be sent, and you don't have to do > anything at this time. If you received this message indirectly by > "forwarding", then you should contact isc-info@isc.org and ask to be placed > on either the bind-users@isc.org or bind-announce@isc.org mailing list. > > REACTION > > Q: Why has there been such public outcry over this? > A: We call it the "whisper down the lane" effect. Most of the folks who read > the preannouncement notice for the bind-members Forum responded positively, > and several who misunderstood it and sought clarification were satisfied. > A vocal minority who misunderstood the announcement and/or disagreed with > the intent have been able to inflame considerable, but often mistaken, > public sentiment. With this FAQ we hope to dispel all such misconceptions. > > Q: If I still think this is a really bad idea, who should I complain to? > A: isc-info@isc.org is ready at all times for any comments or questions. > > (6048005) ------------------------------------------