North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: Reasons why BIND isn't being upgraded
- From: Karyn Ulriksen
- Date: Fri Feb 02 15:39:13 2001
For several services, we keep a table of inhouse daemon/versions to real
daemons/versions. We haven't done this on bind yet, but thinking about it
now. We starting using it on FTP services a few years ago. That way we
know what version of wu-ftpd or apache (or whatever) we are running on a
server, but the script kiddies don't off the bat. Some of it *is*
customized, but we have version identifiers for those customized versions as
well. It's not that big of a hassle to keep track of the map - just a
simple hash to manage. Best of both worlds.
> -----Original Message-----
> From: Patrick Greenwell [mailto:firstname.lastname@example.org]
> Sent: Friday, February 02, 2001 11:14 AM
> To: Bill Woodcock
> Cc: email@example.com
> Subject: Re: Reasons why BIND isn't being upgraded
> On Fri, 2 Feb 2001, Bill Woodcock wrote:
> > On Fri, 2 Feb 2001, Patrick Greenwell wrote:
> > > By the same token one might argue that atempting to
> hide vunerabilities
> > > to those paying you for "early warnings" doesn't help at all.
> > Not at all... If you're trying to hide a vulnerability by
> lying about
> > your version number, that presupposes generally-held knowledge of an
> > association between a vulnerability and a version number.
> > "Early warning" is specifically a means of delaying the general
> > availability of knowledge of that association.
> Which leaves those that have not been informed of such vunerabilities
> acutely vunerable.
> Script kiddies may be stupid, but the people writing the
> program that they
> utilize generally aren't.
> Without rehashing the whole "open-disclosure" vs. "non-disclosure"
> arguments related to security issues in software, or the historically
> extreme inadequacies of CERT in offering timely notification of ANY
> security-related issues, it's very disappointing to see ISC
> resort to a
> fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and
> "we'll update people via CERT" method of dealing with the
> community they
> have served for so long.
> I would have hoped by now that lists such as Bugtraq would
> have adequately
> exhibited the folly of such methodologies.
> Obviously that is not the case.