RE: Reasons why BIND isn't being upgraded
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think if anything is to be stressed here is that it should be left up to the administrator of the network to choose whether they wish the version records to be available or not. Theory can be argued for it to either be enabled or disabled but honestly I wouldn't care either way if the choice was left to me and by default it was not enabled until I specified otherwise. I had no idea that named had ever responded this way until it was posted to this list to my surprise. I am not an advocate of security through obscurity however I don't feel that administrators should be removing all doubt to script kiddies of what versions of software they are running so easily. Make them work for it. Greg +(gcarter@infoDNS.com)-------------------------------------------------+ | infoDNS http://www.infodns.com/ | | Senior Network Administrator bits/keyID 1024/7DF9C285 | | Need help? Ask an expert. -------------> http://www.infoforums.com/ | +--------[ DC 50 57 59 C3 76 46 E8 EB 75 A8 94 FE 96 9E D3 ]----------+ - -----Original Message----- From: Adam McKenna [mailto:adam@flounder.net] Sent: Thursday, February 01, 2001 6:13 PM To: nanog@merit.edu Subject: Re: Reasons why BIND isn't being upgraded On Thu, Feb 01, 2001 at 06:07:44PM -0800, Paul Vixie wrote:
Simon@wretched.demon.co.uk (Simon Waters) writes:
I remain unconvinced that showing the version string helps much.
it helped you with your survey, didn't it?
hiding it doesn't help at all. people who want to know if you're vulnerable and to what have tools to find out.
hiding it DOES however make it harder for people (including network owners) to do surveys.
I always thought that it was regarded as generally good security practice to give out as little information about your systems as possible, and none at all if you can help it. The BIND version should at least only be accessible from a set of defined IP addresses, defaulting to 127/8. - --Adam - -- Adam McKenna <adam-sig@flounder.net> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 9:10pm up 236 days, 19:28, 8 users, load average: 0.00, 0.00, 0.00 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOnoajygrak0xvB4zEQI8PACg6QEbINrVYiEtOO/XzPs+AIwVt8IAoMsq 8x9K6g6r4P+hHrJNhnijJQux =IGS6 -----END PGP SIGNATURE-----
On Thu, 1 Feb 2001, Carter, Gregory wrote:
versions of software they are running so easily. Make them work for it.
The above is my answer as well. Let's face it, you're going to get hacked (cracked for the clueless pedantic). That's a reality: There is someone on the planet better than you and he will one day take a liking to your machine. The best we can do is make him work his ass off for it. Incidintally that gets rid of the script kiddies too. When a machine under my control is hacked (as I know one day it will be), I want it to be by a world-class genius hacker. A script kiddie flooding Undernet off my box would be embarrassing. -Matthew Devney Teamsphere Interactive
participants (2)
-
Carter, Gregory
-
mdevney@teamsphere.com