nanog mailing list archives

RE: Reasons why BIND isn't being upgraded

From: Karyn Ulriksen <kulriksen () publichost com>
Date: Fri, 2 Feb 2001 12:35:00 -0800


For several services, we keep a table of inhouse daemon/versions to real
daemons/versions.  We haven't done this on bind yet, but thinking about it
now.  We starting using it on FTP services a few years ago.  That way we
know what version of wu-ftpd or apache (or whatever) we are running on a
server, but the script kiddies don't off the bat.  Some of it *is*
customized, but we have version identifiers for those customized versions as
well.  It's not that big of a hassle to keep track of the map - just a
simple hash to manage.  Best of both worlds.

K

-----Original Message-----
From: Patrick Greenwell [mailto:patrick () cybernothing org]
Sent: Friday, February 02, 2001 11:14 AM
To: Bill Woodcock
Cc: nanog () merit edu
Subject: Re: Reasons why BIND isn't being upgraded



On Fri, 2 Feb 2001, Bill Woodcock wrote:

      On Fri, 2 Feb 2001, Patrick Greenwell wrote:
    > By the same token one might argue that atempting to

hide vunerabilities

    > to those paying you for "early warnings" doesn't help at all.

Not at all...  If you're trying to hide a vulnerability by

lying about

your version number, that presupposes generally-held knowledge of an
association between a vulnerability and a version number.

"Early warning" is specifically a means of delaying the general
availability of knowledge of that association.


Which leaves those that have not been informed of such vunerabilities
acutely vunerable. 

Script kiddies may be stupid, but the people writing the 
program that they
utilize generally aren't.

Without rehashing the whole "open-disclosure" vs. "non-disclosure" 
arguments related to security issues in software, or the historically
extreme inadequacies of CERT in offering timely notification of ANY 
security-related issues, it's very disappointing to see ISC 
resort to a
fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and
"we'll update people via CERT" method of dealing with the 
community they
have served for so long.

I would have hoped by now that lists such as Bugtraq would 
have adequately 
exhibited the folly of such methodologies. 

Obviously that is not the case.

Current thread:

RE: Reasons why BIND isn't being upgraded, (continued)
- - - RE: Reasons why BIND isn't being upgraded Vivien M. (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Jeffrey Meltzer (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Adrian Chadd (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Joe Rhett (Feb 24)
    - Re: Reasons why BIND isn't being upgraded mdevney (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Paul A Vixie (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Christian Kuhtz (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Bill Fumerola (Feb 24)
- RE: Reasons why BIND isn't being upgraded Carter, Gregory (Feb 24)
  - RE: Reasons why BIND isn't being upgraded mdevney (Feb 24)
- RE: Reasons why BIND isn't being upgraded Karyn Ulriksen (Feb 24)
- Re: Reasons why BIND isn't being upgraded Simon Waters (Feb 24)
- Re: Reasons why BIND isn't being upgraded Jeffrey Meltzer (Feb 24)
  - Re: Reasons why BIND isn't being upgraded jlewis (Feb 24)
  - BIND, djbdns, commercialization jamie rishaw (Feb 24)
    - genetic diversity w/ DNS bmanning (Feb 24)
    - Re: genetic diversity w/ DNS ken harris. (Feb 24)
  - Re: Reasons why BIND isn't being upgraded Paul Vixie (Feb 24)
  - Re: Reasons why BIND isn't being upgraded Joe Rhett (Feb 24)
    - Re: Reasons why BIND isn't being upgraded J Bacher (Feb 24)
    - Re: Reasons why BIND isn't being upgraded Joe Rhett (Feb 24)

(Thread continues...)