Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Reasons why BIND isn't being upgraded

  • From: Adam Rothschild
  • Date: Sun Feb 04 00:20:20 2001

On Sat, Feb 03, 2001 at 06:34:36PM -0500, jlewis@lewis.org wrote:
> It seems obvious, the goal is to get the root-servers upgraded and
> OS vendors notified so they can release patches/updates before holes
> become public knowledge.
>
> As someone else mentioned, some OS vendors have histories of taking
> an unreasonably long time to release updates for known
> vulnerabilities.

Yup.  And by the time OS vendors are notified, easily executable
exploit code is already in the hands of the script kiddies.  While it
might not be "public knowledge" yet, those who need to know in order
to initiate their attacks, probably do.

> You can bet people downloaded source for 8.2.3 and compared its code
> to previous versions looking for the holes.  Did you upgrade before
> the first cracker found a hole and wrote an exploit?

No need; I'm running djbdns at work and home, and I'm unaware of any
major security problems associated with it. ;)

On Sat, Feb 03, 2001 at 04:38:20PM -0800, Joe Rhett wrote:
[ obvious and/or rude content omitted. ]

On Sat, Feb 03, 2001 at 04:43:47PM -0800, Joe Rhett wrote:
> > [...] How many people actually use the default vendor binaries
> > anyways?
> Just about every very large company that I've ever worked
> with. Also, having spent numerous years working the NAVSEA and other
> Pentagon systems, you are explicitly not permitted to install
> anything other than a vendor-provided patch.

True.  And many of these organizations are fully content running
exploitable versions of Sendmail 8.6, BIND 4.x, ftpd, telnetd, NFS,
NIS/YP, etc, if that's what their vendor's releasing.  Their main
concern is not security, but rather, vendor accountability and
conformance with what they believe to be the status quo.

Others maintain higher standards.

> My god, are there really this many idiots out there that don't grasp
> how the world works?

Apparently.

-adam





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.