What's really sad is that bad attitudes from various OS security organizations, such as some people at FreeBSD, has made some people less willing to share vulnerabilities that they have discovered. I speak specifically from my experience in the year 2000, regarding the NAPTHA DoS. Mr. Robert Watson was quite uncivilized in his criticisms of me and the disclosure, even though it had been handled in the most reasonable way (through CERT). You may not believe it, but I've known about this BIND problem for some years, but kept it in my vest pocket. Why? Because I was tired of being made to suffer for doing what was right. I have an inkling about other problems which affect commonly used open-source software, but I see no reason to do a thorough investigation and disclose the results in a responsible way. Because of the bad attitudes of a number of people in the security community, I've been very quiet, not revealing any of my accidental discoveries nor pursuing fixes for the problems I see. Until reasonable and diplomatic people are installed as the security contacts for organizations such as FreeBSD, I will only make patches available to me and my close friends. Perhaps I am wrong, and that people who flamed me for my disclosure have grown up. I'd like to think so. -R. Keyes
In message <Pine.LNX.4.64.0808021459580.23103@neptune.sinister.com>, Bob Keyes writes:>Until reasonable and diplomatic people are installed as the security >contacts for organizations such as FreeBSD, I will only make patches >available to me and my close friends.I can warmly recommend you read the book "Blackmailing for dummies", as I can see that you make several classical beginner mistakes in this attempt. Better luck next time. Poul-Henning -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Bob is quite obviously trolling for a fight here, and I'm definitely
not going to get sucked into that.
I would like to point out however that the _DNS_ vulnerability that is
currently in wide discussion is not in any way related to BIND, it's a
fundamental flaw in the protocol related to response forgery. All
major vendors of DNS systems and the IETF working groups on DNS are
trying to find a permanent solution for this problem. As a stop-gap
measure ISC has adopted the same solution for BIND that has proven
effective for other vendors, randomizing the query source port. You
can find more information about this issue here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Hope this helps,
Doug
--
This .signature sanitized for your protection