title: Advertising vulnerabilities


by: Scott Bradner


The headlines were scary.  For example Dow Jones trumpeted "Researchers Warn Internet's Core Vulnerable To Attack."  And indeed there were bugs in the software which is used in most of the world's domain name servers.  These bugs make it possible for intruders to take full control of the server.  The intruders could then disable the server or modify its data to misdirect Internet users when they attempted to contact an Internet site.   Most major news outlets picked up the story and it caused a momentary blip regular diet of real and imagined non-Internet news.  The news also reignited an old debate on how news of Internet vulnerabilities should be propagated.


The notice of the vulnerabilities  first publicly surfaced on Friday January 26th when Paul Vixie, who runs the company that developed the software, sent a note to a mailing list for network operators. (http://www.nanog.org/mailinglist.html)  The CERT (Computer Emergency Response Team), the official spokesbody for Internet security issues, published an alert the following Monday. (http://www.cert.org/advisories/CA-2001-02.html)  But, as it was clear from the list of 8 vendor's specific vulnerabilities  at the end of the CERT bulletin, someone had told the vendors long enough before Paul's public announcement for some of them to prepare fixes.  When some of the readers of the nanog list figured this out they were quite incensed feeling that a wider notification should have been done as soon as the vulnerabilities  had been found.


 The tension between people who think that the prudent thing to do when a security problem is found is to notify vendors in private so that the vendors can get fixes ready before the news gets out and those who think that its best to tell the world to force vendors and users to upgrade their systems is not a new one.  I've been watching it since the mid 1980's.  The debate can, and in this case did, get quite bitter as can be seen in the nanog mailing list archives. 


The discussion this time was made a bit more complicated this time by the fact that Paul's company, Internet Software Consortium (ISC), is a not-for-profit corporation doing the Internet community a tremendous service.  Thus anyone criticizing  Paul and ISC would seem ungrateful for the work that they do. 


But I think they did the right thing.  I would like to have information on vulnerabilities  be distributed as quickly as possible so that they can get fixed but feel that it would be a reckless disregard of safety of the Internet to publicize a security hole so that the bad guys can exploit it before the good guys have ways to plug the hole.  I will admit to having some problems with the slowness at which the CERT occasionally works but if the fundamental idea is to protect the Internet, it is better to be sure the cure is in place before releasing the pathogen.


disclaimer:  Harvard and slowness are well acquainted concepts but the above request for speed is mine and not the University's.