[34300] in North American Network Operators' Group
RE: Reasons why BIND isn't being upgraded
daemon@ATHENA.MIT.EDU (Karyn Ulriksen)
Fri Feb 2 15:37:26 2001
Message-ID: <0127E258EE29D3118A0F00609765B44847D116@dhcp-gateway.sitestream.net>
From: Karyn Ulriksen <kulriksen@publichost.com>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Fri, 2 Feb 2001 12:35:00 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1252"
Errors-To: owner-nanog-outgoing@merit.edu
For several services, we keep a table of inhouse daemon/versions to real
daemons/versions. We haven't done this on bind yet, but thinking about it
now. We starting using it on FTP services a few years ago. That way we
know what version of wu-ftpd or apache (or whatever) we are running on a
server, but the script kiddies don't off the bat. Some of it *is*
customized, but we have version identifiers for those customized versions as
well. It's not that big of a hassle to keep track of the map - just a
simple hash to manage. Best of both worlds.
K
> -----Original Message-----
> From: Patrick Greenwell [mailto:patrick@cybernothing.org]
> Sent: Friday, February 02, 2001 11:14 AM
> To: Bill Woodcock
> Cc: nanog@merit.edu
> Subject: Re: Reasons why BIND isn't being upgraded
>
>
>
> On Fri, 2 Feb 2001, Bill Woodcock wrote:
>
> > On Fri, 2 Feb 2001, Patrick Greenwell wrote:
> > > By the same token one might argue that atempting to
> hide vunerabilities
> > > to those paying you for "early warnings" doesn't help at all.
> >
> > Not at all... If you're trying to hide a vulnerability by
> lying about
> > your version number, that presupposes generally-held knowledge of an
> > association between a vulnerability and a version number.
> >
> > "Early warning" is specifically a means of delaying the general
> > availability of knowledge of that association.
>
> Which leaves those that have not been informed of such vunerabilities
> acutely vunerable.
>
> Script kiddies may be stupid, but the people writing the
> program that they
> utilize generally aren't.
>
> Without rehashing the whole "open-disclosure" vs. "non-disclosure"
> arguments related to security issues in software, or the historically
> extreme inadequacies of CERT in offering timely notification of ANY
> security-related issues, it's very disappointing to see ISC
> resort to a
> fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and
> "we'll update people via CERT" method of dealing with the
> community they
> have served for so long.
>
> I would have hoped by now that lists such as Bugtraq would
> have adequately
> exhibited the folly of such methodologies.
>
> Obviously that is not the case.
>
>
>
