This
story appeared on Network World Fusion at
http://www.nwfusion.com/columnists/2001/00363797.html
'Net
Insider
Advertising
vulnerabilities
By Scott Bradner
Network World, 02/12/01
The
headlines were scary. For example, Dow Jones trumpeted "Researchers warn
Internet's core vulnerable to attack." And indeed there were bugs in the
software used in most of the world's domain name servers. These bugs make it
possible for intruders to take full control of a server. The intruders could
then disable the server or modify its data to misdirect Internet users when
they attempted to contact an Internet site.
Most major news outlets
picked up the story, and it caused a momentary blip in the regular diet of real
and imagined non-Internet news. The story also reignited an old debate about
how news of Internet vulnerabilities should be propagated.
The notice
of the vulnerabilities first publicly surfaced on Jan. 26. That's when Internet
Software Company's (ISC) Paul Vixie, whose firm developed the software, sent a
note to a mailing list for network operators. The Computer Emergency Response
Team (CERT), the official body addressing Internet security issues, published
an alert the following Monday.
But, as it was clear from the list of
eight vendors' specific vulnerabilities at the end of the CERT bulletin,
someone had told these vendors long enough before Vixie's public announcement
for some of them to prepare fixes (these companies include versions of ISC's
software in their offerings). When some readers of the North American Network
Operators' Group (NANOG) list figured this out, they were quite incensed,
indicating that a wider notification should have been made as soon as the
vulnerabilities had been found.
The tension is not new between people
who think the prudent thing to do when a security problem is found is to notify
vendors in private so the vendors can get fixes ready before the news gets out
and those who think it's best to tell the world about such a problem from the
start to force vendors and users to upgrade their systems. I've been watching
this situation since the mid-1980s. The debate can, and in this case did, get
bitter, as can be seen in the NANOG mailing list archives.
The
discussion this time was made more complicated because Vixie's company is a
not-for-profit corporation providing the Internet community with a tremendous
service. Thus anyone criticizing him and ISC would seem ungrateful for the work
that they do.
But they did the right thing.
I would like to
have information on vulnerabilities be distributed as quickly as possible so
they could get fixed, but feel it would be a reckless disregard of Internet
safety to publicize a security hole so the bad guys can exploit it before the
good guys have ways to plug the hole.
I admit to having some problems
with the slowness at which the CERT occasionally works, but if the fundamental
idea is to protect the Internet, it's better to be sure the cure is in place
before releasing the pathogen.
Disclaimer: Harvard and slowness are
well-acquainted concepts, but the above request for speed is mine and not the
university's.
All contents copyright 1995-2002 Network World, Inc.
http://www.nwfusion.com