RE: Reasons why BIND isn't being upgraded
For several services, we keep a table of inhouse daemon/versions to real daemons/versions. We haven't done this on bind yet, but thinking about it now. We starting using it on FTP services a few years ago. That way we know what version of wu-ftpd or apache (or whatever) we are running on a server, but the script kiddies don't off the bat. Some of it *is* customized, but we have version identifiers for those customized versions as well. It's not that big of a hassle to keep track of the map - just a simple hash to manage. Best of both worlds. K
-----Original Message----- From: Patrick Greenwell [mailto:patrick@cybernothing.org] Sent: Friday, February 02, 2001 11:14 AM To: Bill Woodcock Cc: nanog@merit.edu Subject: Re: Reasons why BIND isn't being upgraded
On Fri, 2 Feb 2001, Bill Woodcock wrote:
On Fri, 2 Feb 2001, Patrick Greenwell wrote: > By the same token one might argue that atempting to
hide vunerabilities
> to those paying you for "early warnings" doesn't help at all.
Not at all... If you're trying to hide a vulnerability by
lying about
your version number, that presupposes generally-held knowledge of an association between a vulnerability and a version number.
"Early warning" is specifically a means of delaying the general availability of knowledge of that association.
Which leaves those that have not been informed of such vunerabilities acutely vunerable.
Script kiddies may be stupid, but the people writing the program that they utilize generally aren't.
Without rehashing the whole "open-disclosure" vs. "non-disclosure" arguments related to security issues in software, or the historically extreme inadequacies of CERT in offering timely notification of ANY security-related issues, it's very disappointing to see ISC resort to a fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and "we'll update people via CERT" method of dealing with the community they have served for so long.
I would have hoped by now that lists such as Bugtraq would have adequately exhibited the folly of such methodologies.
Obviously that is not the case.
participants (1)
-
Karyn Ulriksen