This story appeared on Network World Fusion at

'Net Insider  

Advertising vulnerabilities

By Scott Bradner
Network World, 02/12/01            

The headlines were scary. For example, Dow Jones trumpeted "Researchers warn Internet's core vulnerable to attack." And indeed there were bugs in the software used in most of the world's domain name servers. These bugs make it possible for intruders to take full control of a server. The intruders could then disable the server or modify its data to misdirect Internet users when they attempted to contact an Internet site.

Most major news outlets picked up the story, and it caused a momentary blip in the regular diet of real and imagined non-Internet news. The story also reignited an old debate about how news of Internet vulnerabilities should be propagated.

The notice of the vulnerabilities first publicly surfaced on Jan. 26. That's when Internet Software Company's (ISC) Paul Vixie, whose firm developed the software, sent a note to a mailing list for network operators. The Computer Emergency Response Team (CERT), the official body addressing Internet security issues, published an alert the following Monday.

But, as it was clear from the list of eight vendors' specific vulnerabilities at the end of the CERT bulletin, someone had told these vendors long enough before Vixie's public announcement for some of them to prepare fixes (these companies include versions of ISC's software in their offerings). When some readers of the North American Network Operators' Group (NANOG) list figured this out, they were quite incensed, indicating that a wider notification should have been made as soon as the vulnerabilities had been found.

The tension is not new between people who think the prudent thing to do when a security problem is found is to notify vendors in private so the vendors can get fixes ready before the news gets out and those who think it's best to tell the world about such a problem from the start to force vendors and users to upgrade their systems. I've been watching this situation since the mid-1980s. The debate can, and in this case did, get bitter, as can be seen in the NANOG mailing list archives.

The discussion this time was made more complicated because Vixie's company is a not-for-profit corporation providing the Internet community with a tremendous service. Thus anyone criticizing him and ISC would seem ungrateful for the work that they do.

But they did the right thing.

I would like to have information on vulnerabilities be distributed as quickly as possible so they could get fixed, but feel it would be a reckless disregard of Internet safety to publicize a security hole so the bad guys can exploit it before the good guys have ways to plug the hole.

I admit to having some problems with the slowness at which the CERT occasionally works, but if the fundamental idea is to protect the Internet, it's better to be sure the cure is in place before releasing the pathogen.

Disclaimer: Harvard and slowness are well-acquainted concepts, but the above request for speed is mine and not the university's.

All contents copyright 1995-2002 Network World, Inc.