[18934] in bugtraq
Re: Security information for dollars?
daemon@ATHENA.MIT.EDU (Paul A Vixie)
Thu Feb 1 15:21:42 2001
Message-Id: <200102010735.XAA09695@redpaul.mfnx.net>
Date: Wed, 31 Jan 2001 23:35:34 -0800
Reply-To: Paul A Vixie <vixie@MFNX.NET>
From: Paul A Vixie <vixie@MFNX.NET>
X-To: Joshua Fritsch <joshua.fritsch@nyfix.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Joshua Fritsch <joshua.fritsch@nyfix.com> of "Wed,
31 Jan 2001 21:46:04 EST."
<12ED50EDC55DD4119C2D009027DE335E78AD21@exchange.nyfix.com>
> This won't help anything other than giving the organizations with more
> money/resources an advantage over others. IMHO, if you want to stomp out the
> problem, you need to disseminate it far and wide (along with the solution),
> which will render the hole useless to those that would exploit it.
that's an important viewpoint and i thank you for airing it.
> However, decisions like these may lead to alternatives to BIND (some of
> which may work much better) - - so if they want to run themselves out of
> business, falling victim to people that understand the need for
> full-disclosure...... *shrug*
i am amazed at the continuous supply of dupes who are willing to believe
the kinds of factual errors promulgated by posts like theo's. he said:
>> What does the community think of this change in direction?
it's not a change in direction, as explained separately.
(there is no plan to stop doing what isc has always done, which is work with
cert to propagate security information to the public in responsible ways.
but, isc also needs direct relationships to the vendors involved. this is it.)
