|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Reasons why BIND isn't being upgraded
On Sat, Feb 03, 2001 at 06:34:36PM -0500, [email protected] wrote: > It seems obvious, the goal is to get the root-servers upgraded and > OS vendors notified so they can release patches/updates before holes > become public knowledge. > > As someone else mentioned, some OS vendors have histories of taking > an unreasonably long time to release updates for known > vulnerabilities. Yup. And by the time OS vendors are notified, easily executable exploit code is already in the hands of the script kiddies. While it might not be "public knowledge" yet, those who need to know in order to initiate their attacks, probably do. > You can bet people downloaded source for 8.2.3 and compared its code > to previous versions looking for the holes. Did you upgrade before > the first cracker found a hole and wrote an exploit? No need; I'm running djbdns at work and home, and I'm unaware of any major security problems associated with it. ;) On Sat, Feb 03, 2001 at 04:38:20PM -0800, Joe Rhett wrote: [ obvious and/or rude content omitted. ] On Sat, Feb 03, 2001 at 04:43:47PM -0800, Joe Rhett wrote: > > [...] How many people actually use the default vendor binaries > > anyways? > Just about every very large company that I've ever worked > with. Also, having spent numerous years working the NAVSEA and other > Pentagon systems, you are explicitly not permitted to install > anything other than a vendor-provided patch. True. And many of these organizations are fully content running exploitable versions of Sendmail 8.6, BIND 4.x, ftpd, telnetd, NFS, NIS/YP, etc, if that's what their vendor's releasing. Their main concern is not security, but rather, vendor accountability and conformance with what they believe to be the status quo. Others maintain higher standards. > My god, are there really this many idiots out there that don't grasp > how the world works? Apparently. -adam
|