On Sat, Feb 03, 2001 at 06:34:36PM -0500, jlewis@lewis.org wrote:
It seems obvious, the goal is to get the root-servers upgraded and OS vendors notified so they can release patches/updates before holes become public knowledge.
As someone else mentioned, some OS vendors have histories of taking an unreasonably long time to release updates for known vulnerabilities.
Yup. And by the time OS vendors are notified, easily executable exploit code is already in the hands of the script kiddies. While it might not be "public knowledge" yet, those who need to know in order to initiate their attacks, probably do.
You can bet people downloaded source for 8.2.3 and compared its code to previous versions looking for the holes. Did you upgrade before the first cracker found a hole and wrote an exploit?
No need; I'm running djbdns at work and home, and I'm unaware of any major security problems associated with it. ;) On Sat, Feb 03, 2001 at 04:38:20PM -0800, Joe Rhett wrote: [ obvious and/or rude content omitted. ] On Sat, Feb 03, 2001 at 04:43:47PM -0800, Joe Rhett wrote:
[...] How many people actually use the default vendor binaries anyways? Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch.
True. And many of these organizations are fully content running exploitable versions of Sendmail 8.6, BIND 4.x, ftpd, telnetd, NFS, NIS/YP, etc, if that's what their vendor's releasing. Their main concern is not security, but rather, vendor accountability and conformance with what they believe to be the status quo. Others maintain higher standards.
My god, are there really this many idiots out there that don't grasp how the world works?
Apparently. -adam