Re: yes, there's another hole in BIND

joehelix0.chem.iastate.edu

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dave Sill: "*PLEASE* shut up"
• Previous message: jmcgnu.ai.mit.edu: "Re: Is starting a user program on priv port via inetd dangerous ?"
• In reply to: Pat Myrto: "Re: yes, there's another hole in BIND"
• Next in thread: Ronald A. Jarrell: "Re: yes, there's another hole in BIND"

>
> "In the previous message, Paul A Vixie said..."
> >
> > yes, a patch is in the works, and i'm testing it now.
> >
> > no, i'm not going to tell anybody what it is until i've got it fixed.
> >
>
> Security through obscurity is alive and well here, too, I see.  Therefore
> the crackers who are exploiting the hole have the guaranteed knowlege
> that all users of DNS are vulnerable.
>
> Great.
>
> Perhaps more than ONE head working on the problem might be a good idea?
> Surely there is more than ONE person that can devise a fix...

I agree, the purpose of this list IS full disclosure. If a security
problem is noticed, is it not usually after someone is the victim of its
exploitation? Surely the software developers are not the first to know.

Nothing is gained by "security through obscurity", and you can't
expect people to give up every piece of software they use, just because
no one will tell them what the nature of the hole is. People have jobs
and schedules and can't wait for bug fixes to be released. With
knowledge about the hole they can make an educated decision about
there system until it can be secured.


--
Joe Hentzel                     | God made the Idiot for practice, and then
System Security                 | He made the School Board.
joehelix0.chem.iastate.edu     |  -- Mark Twain

• Next message: Dave Sill: "*PLEASE* shut up"
• Previous message: jmcgnu.ai.mit.edu: "Re: Is starting a user program on priv port via inetd dangerous ?"
• In reply to: Pat Myrto: "Re: yes, there's another hole in BIND"
• Next in thread: Ronald A. Jarrell: "Re: yes, there's another hole in BIND"