From owner-freebsd-security@FreeBSD.ORG  Sat Aug  2 19:50:59 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E30D71065673
	for <freebsd-security@freebsd.org>;
	Sat,  2 Aug 2008 19:50:59 +0000 (UTC)
	(envelope-from bob@sinister.com)
Received: from neptune.sinister.com (neptune.sinister.com [65.18.170.128])
	by mx1.freebsd.org (Postfix) with ESMTP id BC0F48FC18
	for <freebsd-security@freebsd.org>;
	Sat,  2 Aug 2008 19:50:59 +0000 (UTC)
	(envelope-from bob@sinister.com)
Received: from bob (helo=localhost)
	by neptune.sinister.com with local-esmtp (Exim 4.63)
	(envelope-from <bob@sinister.com>) id 1KPMTx-00073y-Me
	for freebsd-security@freebsd.org; Sat, 02 Aug 2008 15:09:37 -0400
Date: Sat, 2 Aug 2008 15:09:37 -0400 (EDT)
From: Bob Keyes <bob@sinister.com>
To: freebsd-security@freebsd.org
Message-ID: <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Mailman-Approved-At: Sat, 02 Aug 2008 22:29:12 +0000
Subject: The BIND scandal
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Aug 2008 19:51:00 -0000

What's really sad is that bad attitudes from various OS security 
organizations, such as some people at FreeBSD, has made some people less 
willing to share vulnerabilities that they have discovered. I speak 
specifically from my experience in the year 2000, regarding the NAPTHA 
DoS. Mr. Robert Watson was quite uncivilized in his criticisms of me and 
the disclosure, even though it had been handled in the most reasonable way 
(through CERT).

You may not believe it, but I've known about this BIND problem for some 
years, but kept it in my vest pocket. Why? Because I was tired of being 
made to suffer for doing what was right.

I have an inkling about other problems which affect commonly used 
open-source software, but I see no reason to do a thorough investigation 
and disclose the results in a responsible way. Because of the bad 
attitudes of a number of people in the security community, I've been very 
quiet, not revealing any of my accidental discoveries nor pursuing fixes 
for the problems I see.

Until reasonable and diplomatic people are installed as the security 
contacts for organizations such as FreeBSD, I will only make patches 
available to me and my close friends.

Perhaps I am wrong, and that people who flamed me for my disclosure have 
grown up. I'd like to think so.

-R. Keyes