On Sat, 03 February 2001, Joe Rhett wrote:
Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch.
This may explain why Pentagon systems got hit with 250,000+ (depending on whose numbers you believe) intrusions last year, almost all through "known" vulnerabilities which had not been patched. Perhaps the Pentagon would have fewer intrusions if they fixed their systems instead of waiting for vendor-provided $700 toilet seat patches. As far as I can tell, ISC did not say they would stop distributing patches through the same methods used now. If you don't want to pay, you will get the exact same patches, through the exact same methods you get them now. Which is pretty good for "free" software. If you get BIND via a vendor distribution, such as AIX, Solaris, OSF/1, Redhat, etc; your support channels will not change. I suspect the reality will be those companies paying ISC for "advanced notice" will get some warm fuzzy feelings, and let management feel they've done something. But it doesn't alter the fact the software had a vulnerability, and someone else could have found the hole long before any advanced notice is issued by ISC. How many folks will now query the root-name servers CHAOS version numbers looking for a change. If you are a clever programmer, I'm sure you can fix all the flaws in the BIND code yourself, and you never need to pay ISC a penny.
On Sat, Feb 03, 2001 at 07:10:23PM -0800, Sean Donelan wrote:
On Sat, 03 February 2001, Joe Rhett wrote:
Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch.
This may explain why Pentagon systems got hit with 250,000+ (depending on whose numbers you believe) intrusions last year, almost all through "known" vulnerabilities which had not been patched. Perhaps the Pentagon would have fewer intrusions if they fixed their systems instead of waiting for vendor-provided $700 toilet seat patches.
From a friend involved in cleanup, the vast majority of those system hadn't ever had any of the vendor-supplied security patches installed. They were 'special projects' that didn't fall under the normal system operations regulations. Such 'special projects' are now subject to review ;-)
I suspect the reality will be those companies paying ISC for "advanced notice" will get some warm fuzzy feelings, and let management feel they've done something. But it doesn't alter the fact the software had a vulnerability, and someone else could have found the hole long before any advanced notice is issued by ISC. How many folks will now query the root-name servers CHAOS version numbers looking for a change.
Paul's comments indicate that this a software/code-related support channel, not a security notification list. It's probably intended to cover their costs of supporting the vendors in producing patches to their customized versions more than anything. (I'm not involved, so this is my opinion only)
If you are a clever programmer, I'm sure you can fix all the flaws in the BIND code yourself, and you never need to pay ISC a penny.
Not to be rude to Paul, but version 8's internals are a mess. I've tried 3 times to make enhancements to caching and forwarding in version 8, and I just couldn't follow maze of interactions. Too many routines are involved in too many places in the data. So my enhancements would work 90% of the time, until some hereto unknown operation dumped cache coherency down the tube. I'm a lot happier with version 9's modularized structure. That will probably be a lot easier for most people to follow. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/
As far as I can tell, ISC did not say they would stop distributing patches through the same methods used now. If you don't want to pay, you will get the exact same patches, through the exact same methods you get them now. Which is pretty good for "free" software. If you get BIND via a vendor distribution, such as AIX, Solaris, OSF/1, Redhat, etc; your support channels will not change.
I suspect the reality will be those companies paying ISC for "advanced notice" will get some warm fuzzy feelings, and let management feel they've done something. But it doesn't alter the fact the software had a vulnerability, and someone else could have found the hole long before any advanced notice is issued by ISC. How many folks will now query the root-name servers CHAOS version numbers looking for a change.
A couple of points on these issues: 1) Noone has suggested that the current public distribution would go away. What has been a point of concern is that the public may have to wait [too long?] for vendors to get their act together and publish patches before the new release hits the general distribution. A good many companies don't rely on vendor patches. 2) Advanced notice has been called "paranoia" and "warm fuzzy". What it really is -- is the opportunity to have a bit of time for planning instead of engaging the gears for emergency mode.
participants (3)
-
J Bacher
-
Joe Rhett
-
Sean Donelan