Date: Sat, 2 Aug 2008 15:09:37 -0400 (EDT) From: Bob Keyes <bob@sinister.com> To: freebsd-security@freebsd.org Subject: The BIND scandal Message-ID: <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com>
next in thread | raw e-mail | index | archive | help
What's really sad is that bad attitudes from various OS security organizations, such as some people at FreeBSD, has made some people less willing to share vulnerabilities that they have discovered. I speak specifically from my experience in the year 2000, regarding the NAPTHA DoS. Mr. Robert Watson was quite uncivilized in his criticisms of me and the disclosure, even though it had been handled in the most reasonable way (through CERT). You may not believe it, but I've known about this BIND problem for some years, but kept it in my vest pocket. Why? Because I was tired of being made to suffer for doing what was right. I have an inkling about other problems which affect commonly used open-source software, but I see no reason to do a thorough investigation and disclose the results in a responsible way. Because of the bad attitudes of a number of people in the security community, I've been very quiet, not revealing any of my accidental discoveries nor pursuing fixes for the problems I see. Until reasonable and diplomatic people are installed as the security contacts for organizations such as FreeBSD, I will only make patches available to me and my close friends. Perhaps I am wrong, and that people who flamed me for my disclosure have grown up. I'd like to think so. -R. Keyes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0808021459580.23103>