[18989] in bugtraq
Re: Defending the (supposedly) indefensible...
daemon@ATHENA.MIT.EDU (Shalon Wood)
Sun Feb 4 21:45:50 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <87n1c3gy6t.fsf@pele.pele.cx>
Date: Sat, 3 Feb 2001 17:10:34 -0600
Reply-To: Shalon Wood <dstar@PELE.CX>
From: Shalon Wood <dstar@PELE.CX>
X-To: jpm@class.de
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010203115121.A6218@fm.rz.fh-muenchen.de>
"Juergen P. Meier" <jpm@CLASS.DE> writes:
> Ah, here i think you (and the ISC) overlooked something:
> Although i believe the probability of having a blackhat among
> the root-nameserver maintainers is close to zero, i am convinced
> that the probability of blackhats among all those people who would
> recieve such a closed-reciepent-list security-bulletin among the
> big vendors (IBM, Sun, HP and them linux distributors) is much
> closer to one.
s/much closer to//
I can't be the only person on BugTraq to have worked at one of the
above mentioned vendors. There *are* idiots working there; no hiring
process is, or can be, perfect.
Some of these *will* get access to the info. Some of those *will* be
blackhats, blackhat wannabes, or friends with the above. The
information *will* get out.
Just not to those of us who don't want our servers rooted.
The only way I could see to prevent that would be to limit the info to
one or two people per vendor, and that would kinda defeat the purpose,
I think, because I'm not sure that's enough people to get a head start
on patches.
Now, ISC may have taken this into account. I'm not *dead* set against
the idea yet, but I'm *extremely* skeptical. On the other hand, Paul
Vixie & co are some very smart, very experienced people, and I don't
subscribe to the conspiracy theories spouted by some people on the
list.
I'm willing to be convinced, but I haven't seen Paul & co address this
yet.
Shalon Wood
--
