Once this had gone public CCIP should have engaged this forum. CCIP has well defined procedures and processes in place when sharing information with the National and International security communities and the "traditional" critical infrastructure community. Outside of those communities the process
Does "critical national infrastructure" (as quoted from your website) include all NZ ISPs, or just the big players?
Another suggestion is the need for a closed mailing list for the NZ ISP community.
Closed lists seem to serve two purposes: 1) making the members feel 1337; and 2) money spinners. And who would act as the "police" to ensure that all members are ISP representatives? Who would keep tabs on which members have changed jobs and thus require removal from the list? I see this as a way to introduce #2 as above. Then you give all members club cards or secret decoder rings and if the smaller ISPs have trouble coming up with the funds, they'll be excluded. Perhaps it's more pertinent to ask "What is the end goal?" Is it to keep the NZ ISP industry aware of all security issues? Or is it to create a secret club? It's likely that the undesirables already know of the vulnerabilities, and the media will find out anyway and put some dramatic spin on it to keep themselves employed. What about operators of private networks? Shouldn't they know about these issues to protect their networks from attack? In this scenario, one poisoned DNS cache on a company intranet could lead to an entire company's PCs being hijacked or infected, or whatever the poisoner decides will provide the maximum amusement. With your secret club proposal, these network operators would not be aware of the issues because they're not ISPs. I believe NZNOG is the perfect avenue for security vulnerability disclosure. -- Spiro Harvey Knossos Networks Ltd 021-295-1923 www.knossos.net.nz