Re: [Re: how to get people to upgrade? (Re: The weak link? DNS)]
"Jeffrey C. Ollie" <jeff@ollie.clive.ia.us> wrote:
On Wed, 2003-03-26 at 09:24, Paul Vixie wrote:
so here's a proposal. we (speaking for ISC here) could add a config option (default to OFF) to make bind send some kind of registration packet at boot time, containing an e-mail address for a technical contact for that server, and perhaps its hostname as well.
options { ... ... // this option is here to remind you when it is time to be a // responsible netizen - choices are on or off, default is on fetch-clue on ... }
[...]
given such a feature, whose default was OFF, would anyone here who uses BIND stop using it out of protest? if so plz answer publically (on nanog).
I would not use such a feature, and I suspect that most people who would use such a feature would not have a clue that it was there or how to turn it on. What I would like to see is somewhat of the idea in reverse. The ISC would host a zone that would contain TXT records with security/bug advisories for every version:
$ORIGIN .
security-notice.bind IN SOA ns.isc.org. postmaster.isc.org. 1 7200 3600 604800 3600
$ORIGIN security-notice.bind.
8.3.3 IN TXT "Name: BIND: Multiple Denial of Service [yadda yadda yadda...]" 4.9.10 IN TXT "Name: LIBRESOLV: buffer overrun [yadda yadda yadda...]"
yadda yadda yadda...
Ideally the zone would be DNSSEC signed as well.
don't foget to include some useful/helpful comments regarding where to look for more info
Then, by default, BIND would query the zone periodically (perhaps every 24 hours or so) for it's version. If any records are found it would log a message and/or send email to root@localhost, which would be repeated periodically (I'd log a message every time that a check was performed, but I'd only email once a week). There would be config options so that the clueful admin could customize/disable this behavior to his or her liking.
i like this idea better, and every little bit helps, but i still have some reservations: for the install-and-forget crowd (it is runnning right - well then why would i want to mess with it), i don't know that they would see the periodic messages, know how to act on them (although i am sure that very detailed instructions could be included in each email), or care to act on them. unless there is a blinking icon in the 'taskbar' that they click on, and then magically when the machine has rebooted, they are up2date with everything, i have doubts that it would work for a lot of the servers out there (besides, how will any of this prompt those whom are currently out of date to upgrade?)
This way no one would be collecting a central database of email addresses, but everyone would get notified of security advisories in a timely manner.
Jeff
my $0.02 joshua "Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence." - Stephen Hawking -
On Wed, 2003-03-26 at 10:52, Joshua Smith wrote:
don't foget to include some useful/helpful comments regarding where to look for more info
Yes, the TXT record would inlcude the entire text of the security notice (hmm... how big can TXT records be?) or at least a URL.
i like this idea better, and every little bit helps, but i still have some reservations: for the install-and-forget crowd (it is runnning right - well then why would i want to mess with it), i don't know that they would see the periodic messages, know how to act on them (although i am sure that very detailed instructions could be included in each email), or care to act on them. unless there is a blinking icon in the 'taskbar' that they click on, and then magically when the machine has rebooted, they are up2date with everything, i have doubts that it would work for a lot of the servers out there
<sarcasm>Ideally, you would get a mild electric shock from your keyboard if you were running software that had known security problems. Not enough of a shock that would numb your hands (you need them to upgrade!) or send you into cardiac arrest, but just enough that using a computer would be uncomfortable enough so that you would apply security patches in a timely manner. However, the technical and legal issues are unsolvable (I'm fine with the moral/ethical issues here) so I didn't mention it before.</sarcasm> Seriously, you can do only so much to *force* people to apply security patches. Basically, when it comes to security patches, there are two classes of admins, the kind that do hear about security advisories and the kind that don't. For those admins that do hear about security advisories there are going to be some admins that don't apply security patches because they just don't care. There are also going to be some that don't apply security patches because they don't know how and don't care enough to learn how. There's not much we can do about those people. What we CAN so is to reduce the number of people that don't hear about security advisories. Web pages, CERT mailing lists, etc. don't reach enough people partly because people don't know about them or don't have the time to check a bazillion web pages or read a bazillion mailing list posts that talk about software that they don't even use. However, if MY DNS server started emailing ME, I'd be a little more likely to sit up and take notice and maybe do something about it.
(besides, how will any of this prompt those whom are currently out of date to upgrade?)
Unfortunately, any proposal like this can only affect future versions of software. Fortunately, most systems get upgraded eventually (although it could take years, maybe decades). Jeff
participants (2)
-
Jeffrey C. Ollie
-
Joshua Smith