The BIND scandal
Bob Keyes
bob at sinister.com
Sat Aug 2 19:51:00 UTC 2008
What's really sad is that bad attitudes from various OS security
organizations, such as some people at FreeBSD, has made some people less
willing to share vulnerabilities that they have discovered. I speak
specifically from my experience in the year 2000, regarding the NAPTHA
DoS. Mr. Robert Watson was quite uncivilized in his criticisms of me and
the disclosure, even though it had been handled in the most reasonable way
(through CERT).
You may not believe it, but I've known about this BIND problem for some
years, but kept it in my vest pocket. Why? Because I was tired of being
made to suffer for doing what was right.
I have an inkling about other problems which affect commonly used
open-source software, but I see no reason to do a thorough investigation
and disclose the results in a responsible way. Because of the bad
attitudes of a number of people in the security community, I've been very
quiet, not revealing any of my accidental discoveries nor pursuing fixes
for the problems I see.
Until reasonable and diplomatic people are installed as the security
contacts for organizations such as FreeBSD, I will only make patches
available to me and my close friends.
Perhaps I am wrong, and that people who flamed me for my disclosure have
grown up. I'd like to think so.
-R. Keyes
More information about the freebsd-security
mailing list