North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Reasons why BIND isn't being upgraded
For several services, we keep a table of inhouse daemon/versions to real daemons/versions. We haven't done this on bind yet, but thinking about it now. We starting using it on FTP services a few years ago. That way we know what version of wu-ftpd or apache (or whatever) we are running on a server, but the script kiddies don't off the bat. Some of it *is* customized, but we have version identifiers for those customized versions as well. It's not that big of a hassle to keep track of the map - just a simple hash to manage. Best of both worlds. K > -----Original Message----- > From: Patrick Greenwell [mailto:[email protected]] > Sent: Friday, February 02, 2001 11:14 AM > To: Bill Woodcock > Cc: [email protected] > Subject: Re: Reasons why BIND isn't being upgraded > > > > On Fri, 2 Feb 2001, Bill Woodcock wrote: > > > On Fri, 2 Feb 2001, Patrick Greenwell wrote: > > > By the same token one might argue that atempting to > hide vunerabilities > > > to those paying you for "early warnings" doesn't help at all. > > > > Not at all... If you're trying to hide a vulnerability by > lying about > > your version number, that presupposes generally-held knowledge of an > > association between a vulnerability and a version number. > > > > "Early warning" is specifically a means of delaying the general > > availability of knowledge of that association. > > Which leaves those that have not been informed of such vunerabilities > acutely vunerable. > > Script kiddies may be stupid, but the people writing the > program that they > utilize generally aren't. > > Without rehashing the whole "open-disclosure" vs. "non-disclosure" > arguments related to security issues in software, or the historically > extreme inadequacies of CERT in offering timely notification of ANY > security-related issues, it's very disappointing to see ISC > resort to a > fee-based, non-public-disclosure-at-the-time-of-discovery, NDA'd and > "we'll update people via CERT" method of dealing with the > community they > have served for so long. > > I would have hoped by now that lists such as Bugtraq would > have adequately > exhibited the folly of such methodologies. > > Obviously that is not the case. > > >
|