Internet group plans security-information exchange

The Internet Software Consortium announces plans to create an exclusive information exchange to keep companies and software makers aware of any security holes.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
The Internet Software Consortium, makers of the most popular software for the Internet's critical domain-name service, announced plans this week to create an exclusive information exchange to keep companies and software makers that use its product aware of any security holes.

The move follows Monday's report of four security flaws in the BIND (Berkeley Internet Name Domain) software that could allow attackers to crash or gain control of any DNS servers running the software.

The ISC has no secure service for relating flaw and patch information except through the Computer Emergency Response Team Coordination Center at Carnegie Mellon University. Unfortunately, using such an intermediary can make software-development discussions unwieldy, said Paul Vixie, chairman of the nonprofit ISC. As a result, technical discussions about software holes and patches have traditionally taken place on easier-to-use public e-mail lists, and that, said Vixie, is a problem.

"In the current situation, the bad guys get the information at the same time as the good guys, and then it's a horse race," he said. "Now we are going to give the right people a head start in that race."

Beginning later this month, the ISC will start charging a fee for membership in its new information service. Anyone needing legitimate access to the prerelease source code is welcome, said Vixie, including top-level-domain registrars (those that run, say, the .to or .com domains), software companies such as Red Hat and IBM, and developers.

Similar to the information sharing and analysis centers (ISACs) forming to protect critical industries and the Internet, the new service will give early information access to those that need it to secure their products. Members of the new service will be required to register and use encrypted e-mail when discussing issues concerning the BIND software.

"Anyone who ships that software as part of their systems can be part of this," Vixie said. In addition, the fee will be waived for other nonprofit groups.

The service will also act as a closed channel for information regarding security and software development, so companies and developers can fix their specific versions of BIND before the general public, and potential attackers, get wind of the problems.

The need for such a program became apparent this week when the ISC found that it could only communicate with developers over the phone or through the secure, but inconvenient, CERT mailing lists. If they posted to the public security lists, potential attackers would get the information at the same time as companies, Vixie said.

"This allows people to have a direct relationship with the ISC rather than using CERT as an intermediary," he said.

Yet, several people in the security community posted criticisms of the plan to SecurityFocus.com's BugTraq mailing list on Wednesday and Thursday.

"Myself, I think it is a terrible idea to charge money for security-information access and that closing BIND up like this is also going to be harmful," one critic said in response to the announcement.

Jim Magdych, security research manager of PGP Security, also voiced concern that such a new service could hurt more than help. Responsible public discussion of the flaws leads to better security, he said.

"Historically, security through obscurity is not as good a solution," he said. "I think the trend recently has been towards responsible disclosure (of security holes)." Such public disclosure not only makes the public aware of security issues but also pressures companies into making such fixes a high priority.

Vixie said such criticism was likely the result of a misunderstanding.

"ISC has always told CERT whenever we find a security flaw," he said. "They find out as soon as we know." That won't change, he said.

"There will be no special privilege level of information of this group," he added. "Anything learned by the group will be absolutely learned by all the members."