Re: Reasons why BIND isn't being upgraded

[Adam Rothschild <asr () latency net>]

On Sat, Feb 03, 2001 at 06:34:36PM -0500, jlewis () lewis org wrote:
> It seems obvious, the goal is to get the root-servers upgraded and
> OS vendors notified so they can release patches/updates before holes
> become public knowledge.
>
> As someone else mentioned, some OS vendors have histories of taking
> an unreasonably long time to release updates for known
> vulnerabilities.

Yup.  And by the time OS vendors are notified, easily executable
exploit code is already in the hands of the script kiddies.  While it
might not be "public knowledge" yet, those who need to know in order
to initiate their attacks, probably do.

> You can bet people downloaded source for 8.2.3 and compared its code
> to previous versions looking for the holes.  Did you upgrade before
> the first cracker found a hole and wrote an exploit?

No need; I'm running djbdns at work and home, and I'm unaware of any
major security problems associated with it. ;)

On Sat, Feb 03, 2001 at 04:38:20PM -0800, Joe Rhett wrote:
[ obvious and/or rude content omitted. ]

On Sat, Feb 03, 2001 at 04:43:47PM -0800, Joe Rhett wrote:
> > [...] How many people actually use the default vendor binaries
> > anyways?
> Just about every very large company that I've ever worked
> with. Also, having spent numerous years working the NAVSEA and other
> Pentagon systems, you are explicitly not permitted to install
> anything other than a vendor-provided patch.

True.  And many of these organizations are fully content running
exploitable versions of Sendmail 8.6, BIND 4.x, ftpd, telnetd, NFS,
NIS/YP, etc, if that's what their vendor's releasing.  Their main
concern is not security, but rather, vendor accountability and
conformance with what they believe to be the status quo.

Others maintain higher standards.

> My god, are there really this many idiots out there that don't grasp
> how the world works?

Apparently.

-adam