Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Reasons why BIND isn't being upgraded

  • From: Karyn Ulriksen
  • Date: Fri Feb 02 15:39:13 2001

For several services, we keep a table of inhouse daemon/versions to real
daemons/versions.  We haven't done this on bind yet, but thinking about it
now.  We starting using it on FTP services a few years ago.  That way we
know what version of wu-ftpd or apache (or whatever) we are running on a
server, but the script kiddies don't off the bat.  Some of it *is*
customized, but we have version identifiers for those customized versions as
well.  It's not that big of a hassle to keep track of the map - just a
simple hash to manage.  Best of both worlds.

K



> -----Original Message-----
> From: Patrick Greenwell [mailto:patrick@cybernothing.org]
> Sent: Friday, February 02, 2001 11:14 AM
> To: Bill Woodcock
> Cc: nanog@merit.edu
> Subject: Re: Reasons why BIND isn't being upgraded
> 
> 
> 
> On Fri, 2 Feb 2001, Bill Woodcock wrote:
> 
> >       On Fri, 2 Feb 2001, Patrick Greenwell wrote:
> >     > By the same token one might argue that atempting to 
> hide vunerabilities 
> >     > to those paying you for "early warnings" doesn't help at all.
> > 
> > Not at all...  If you're trying to hide a vulnerability by 
> lying about
> > your version number, that presupposes generally-held knowledge of an
> > association between a vulnerability and a version number.
> > 
> > "Early warning" is specifically a means of delaying the general
> > availability of knowledge of that association.  
> 
> Which leaves those that have not been informed of such vunerabilities
> acutely vunerable. 
> 
> Script kiddies may be stupid, but the people writing the 
> program that they
> utilize generally aren't.
> 
> Without rehashing the whole "open-disclosure" vs. "non-disclosure" 
> arguments related to security issues in software, or the historically
> extreme inadequacies of CERT in offering timely notification of ANY 
> security-related issues, it's very disappointing to see ISC 
> resort to a
> fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and
> "we'll update people via CERT" method of dealing with the 
> community they
> have served for so long.
> 
> I would have hoped by now that lists such as Bugtraq would 
> have adequately 
> exhibited the folly of such methodologies. 
> 
> Obviously that is not the case.
> 
> 
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.