×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

408 comments

If you eat at Subway, Jared owns you!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4652912)

At subway, you get a sub prepared anyway you like, by the friendly, efficient staff. Choose from mouth-watering veggies, succulent meats and cheeses, and a variety of freshly-baked bread. Why not stop in today and pick up some subs for the whole family to enjoy. I suggest the Italian BMT, piled high with genoa salami, pepperoni, ham, and provolone cheese. Top it with lettuce, tomato, onion, and pickles, add a few spritzes of italian dressing and you've got a meal fit for king. Subway: eat fresh!

g to the oatse
c to the izzex
fo shizzle my nizzle click here [jareddispatch.com] (note: the site is currently down. I expect it to come back online around Thanksgiving) to dispatch Jared and his formerly overweight goons to crack down on Subway if they don't honor the $3.49 Troll Tuesday deal. Make sure you provide the store number and address. Mine is store number 5839. Don't believe me about the concept of the jared dispatch? Yahoo has an article about it here [yahoo.com], although it is pretty light on the details.
Note: I've gotten a few comments that the link to Jared Dispatch doesn't work. I think the site got taken down because of abuse of the service. Although the site got taken down, I still highly reccomend Subway and their high quality subs. To show my appreciation, here is a link to Free Subway Coupons. I had to redirect it through Yahoo's site redirector, because my of the filter at work. Anyways, here is the link! [yahoo.com]
Note 2: I've received word that those links to yahoo actually point to goatse.cx. I am truly sorry about that, and I found the cause. A couple weeks ago, a hacker broke into yahoo and set up some scripts that redirect the user to goatse.cx if a file is in a certain directory. I accidentally tried to access a file in one of those haunted directories. I fixed the links (I have a cousin who works at yahoo), so they should bring you to the actual sites now, not goatse.cx. Update 10/28: The hacker, or should I say hax0r [mailto], actually has posted a page on yahoo on how he did it and how the goatse redirector works. It's a very good read. I suggest reading it soon before yahoo finds out about it and takes it down. Check it out ASAP [yahoo.com]!
Note 3: I am working on locating the articles using google's cache. It is taking some time because I don't remember the exact titles. However, I hope to have the links fixed and working very soon. Keep eating at Subway in the meantime, and request that they bring back the jalepeno cheese roll. It is a fanscrumptiously brilliant roll.
Note 4: To all those who think that sub is an incorrect term, I live in upstate NY, and we call it a sub here. There are no hoagies, grinders, po'boys, footlongs, heroes, or any other made up names. It's not hoagieway after all, its Subway.
Important: It is my duty to report to you, loyal low-threshold readers, of a very disturbing incident that happened to me last week. I went into subway at the normal lunch time, but instead of the standard line out the door, the restaurant was vacant. Normally, the queue doesn't concern me, since the crew knows enough to make me a footlong Italian BMT with my standard fixin's and have it ready at 11:30 sharp, on tuesdays. I approached the counter casually, when two bulky men appeared from each side of the potato chip display rack. They held me down, and Jared appeared from behind the counter. He took my preprepared footlong BMT and cracked an evil grin. The manager grabbed the bottle of italian dressing and lubed up my general ass area. Jared shoved the footlong Italian BMT repeatedly into my ass, mixing it with the chucks of feces that were in my bowels, until the fresh crisp veggies resembled brown spoiled food. I begged him to stop, but little did I know the torture waiting for me. He took the italian dressing, and squirted it into my pee hole. Now, it burns when I pee, and it hurts when I sit. I asked him why he was doing this, and he said that they had tracked me down for my abuse of the Jared Dispatch system. You see, Jared gets airsick, and his constant flying over the country has caused him to lose weight due to his vomiting on planes. Normally, this loss of weight would be a good thing, but Subway can't actually claim that he lost weight by eating Subway subs. They told him to put the weight back on and then lose it again by eating subs, somthing Jared does not want to do. As a result, they are the ones who closed down Jared Dispatch. I am begging you, loyal readers DON'T GO TO JARED DISPATCH [yahoo.com] ANY MORE. Thank you for your time. I have to go to Subway now, and tell them that I want less italian dressing on my footlong Italian BMT. Remember, if you don't eat at subway, then the terrorists win! (note: On the link above, I used client-side redirection. Therefore, if it sends you to goatse.cx, it is a problem with YOUR COMPUTER, NOT THE WEB PAGE!)

FP (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4652920)

Foist Poist

Escape (5, Informative)

Borodimer (201221) | more than 11 years ago | (#4652925)

Escape your binds, use djbdns.

Re:Escape (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4652942)

better yet, use awhdirekhaw !

AMEN! (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4652951)

All hail djbdns! ... now if we could only convinve djb to loosen some licensing issues.

Re:AMEN! (0)

Anonymous Coward | more than 11 years ago | (#4653038)

I hear that complaint a lot (ie - more than once). Honestly, i think it's invalid. If you can find a bug in it, you'll get paid. Does BIND make that offer?

Free as in speech isn't all that useful if it also means free for anybody to root your box.

Re:AMEN! (3, Interesting)

thogard (43403) | more than 11 years ago | (#4653199)

Thats just like the postfix situation. No one has reported bugs.... however if you look at most of the sendmail "bugs" over the last 5 years, you will find they workaround bugs in standard libraries and operating systems, not the main program code. If you look at the patches to sendmail and see if they have are need and applied to other packages, you will find they were needed but aren't applied. None of the people paying for bug reports will pay for bugs in the OS.

Re:Escape (5, Funny)

Anonymous Coward | more than 11 years ago | (#4653094)

Escape your need for functionality, well-documented behaviors and the ability to freely import and export zone data without being a 15th-century sorcerer.

Re:Escape (2, Insightful)

passthecrackpipe (598773) | more than 11 years ago | (#4653118)

This is why [linuxmafia.com] running BIND9 instead of the djb stuff may be a very good idea.

Re:Escape (1, Interesting)

Anonymous Coward | more than 11 years ago | (#4653195)

He's a Stallman wannabe. In other words, an asshole.

If he's running BIND9 intead of Berstein's program, he's a moron too.

Re:Escape (3, Informative)

AirLace (86148) | more than 11 years ago | (#4653175)

djbdns is a great codebase, but it's starting to suffer from a few issues. Find a vulnerability and you're not even allowed to release a fixed version! The license is in some ways _more restrictive_ than (dare I say it) Microsoft's Shared Source.

There hasn't been a djbdns release since 12-Feb-2001 [freshmeat.net] and the project is bound to go stale sooner or later if djb does not renew his interest. How many companies or networking professionals out there are going to use DNS software which has a single human point of failure? I won't even go into the "hit by a bus" argument.

Granted, djbdns comes with some cute gimmicks like the "security guarantee [cr.yp.to]". But for all of BIND's problems, the fact that it's open source makes it the better option in this case. Better the devil you know..

MOD PARENT UP (0)

Anonymous Coward | more than 11 years ago | (#4653216)

anyone else find the djbdns user community arrogant and unhelpful in the extreme? they use djbdns because they don't know better, but soon the licensing issues they care so little about will come and bite them in the ass

Re:MOD PARENT UP NOT! AIRLACE is a fool (0)

Anonymous Coward | more than 11 years ago | (#4653320)

http://developers.slashdot.org/comments.pl?sid=424 88&cid=4465167

The DJBDNS community gives excellent help. There policy is that you don't mung files. If you do then they will be grasping at straws and that doesn't do anybody any good.

AIRLACE did it. (-1)

Anonymous Coward | more than 11 years ago | (#4653263)

Hey you're the dipsh*** that probably caused the bind exploit. Didn't you maintain the codebase for a year.
http://developers.slashdot.org/comments.pl?sid=4 24 88&cid=4465167

You fool....

Re:Escape (1)

grub (11606) | more than 11 years ago | (#4653326)


I was thinking of installing some of DJB's software but then I realized I'd need to go buy another hard drive for /var as he likes his stuff to live there..


only half joking.

And I guess... (5, Insightful)

nagora (177841) | more than 11 years ago | (#4652932)

...that's why I run Bind 9 and keep it updated.

TWW

Yep (1)

AGTiny (104967) | more than 11 years ago | (#4652994)

Yeah don't most people run Bind 9 these days? My Redhat 7.1 and 7.3 servers are both at bind-9.2.1.

Re:And I guess... (3, Informative)

dsb3 (129585) | more than 11 years ago | (#4652999)

> ...that's why I run Bind 9 and keep it updated.

The more pressing concern is that parts of bind4 and bind8 are so far ingrained in standard system libraries and other binaries that simply changing to use bind9 as your nameserver doesn't remove the old, buggy code from your system.

Re:And I guess... (3, Informative)

RollingThunder (88952) | more than 11 years ago | (#4653066)

Not really a good argument though (if I understand you right). If it's the system libraries and precompiled binaries you're worried about having BIND4/8 "cancer", then it doesn't matter *what* you do - BIND9, TinyDNS, MaraDNS, DJBDNS. That cruft will still be in there, until you recompile everything without said base libs.

Re:And I guess... (5, Informative)

Zapman (2662) | more than 11 years ago | (#4653157)

This is not very valid, since this is an exploit to attack DNS *SERVERS*. Not clients with the shared libs. Besides to attack a client, they first need to get you to go to some compromised DNS server, with an application utilizing the bad resolver libs.

Besides, there are some good security points you should be doing anyway on the server. Unless you must have it, turn off recursion:

acl safenets { 127.0.0.1/32; your.internal.ips/??;}

options {
allow-transfer { safenets; };
allow-recursion { safenets; };
}

between that, a solid chroot, and a solid setuid, you'll have beaten 99% of the bind problems you'll have.

tinydns: internal and external views? (4, Interesting)

MORTAR_COMBAT! (589963) | more than 11 years ago | (#4652935)

Does TinyDNS support internal and external views? By this I mean, can it return a different IP for the host "foo.my.com" based on what subnet a client is connecting from (e.g., return 192.168.10.11 for all clients in 192.168.* and return 4.3.17.45 for all clients outside of that)? If so, I will switch. If not, I need that function of Bind 9.

Re:tinydns: internal and external views? (0)

Anonymous Coward | more than 11 years ago | (#4652957)

It supports split-horizon DNS very easily.

Re:tinydns: internal and external views? (5, Informative)

dsb3 (129585) | more than 11 years ago | (#4652972)

> Does TinyDNS support internal and external views?

Yes. This page shows you how http://cr.yp.to/djbdns/tinydns-data.html [cr.yp.to]

Re:tinydns: internal and external views? (1, Troll)

MORTAR_COMBAT! (589963) | more than 11 years ago | (#4653107)

That page does not contain the words "subnet" "view" "horizon" or "internal". So that page hardly shows me how. I've just always found the TinyDNS zone format and configuration to be much harder to use than BIND 9.

Re:tinydns: internal and external views? (4, Informative)

spacey (741) | more than 11 years ago | (#4653283)

The format is pretty flexible. From the above page, the important part is:

For versions 1.04 and above: You may include a client location on each line. The line is ignored for clients outside that location. Client locations are specified by
% lines:
%
lo:ipprefix
means that IP addresses starting with ipprefix are in location lo . lo is a sequence of one or two ASCII letters. A client is in only one location; longer prefixes override shorter prefixes. For example,
%in:192.168

%ex
+jupiter.heaven.af.mil:192.168.1.2:::in
+jupiter.heaven.af.mil:1.2.3.4:::ex
specifies that jupiter.heaven.af.mil has address 192.168.1.2 for clients in the 192.168.* network and address 1.2.3.4 for everyone else.

This shows, using the shorthand "in" for internal and "ex" for external, the syntax for creating the equivelant of bind's views. Its pretty flexible. And not hard at all.

I do wish that djb could have made his format a bit more consistant, but when I think about it its probably impossible considering that DNS requires some oddbal fields. Having written a parser, its pretty darn easy to read and parse, especially compared to trying to compare it to the bind format after an axfr, where it keeps redifining "@".

-Peter

Re:tinydns: internal and external views? (2)

dsb3 (129585) | more than 11 years ago | (#4653302)

Search for this string in the referenced page.

"... specifies that jupiter.heaven.af.mil has address 192.168.1.2 for clients in the 192.168.* network and address 1.2.3.4 for everyone else."

Now, why do you need any of the four words you quote to explain/demonstrate the concept?

Re:tinydns: internal and external views? (2)

dizco (20340) | more than 11 years ago | (#4653359)

Top of the page, at the bottom of the section titled data format:

For versions 1.04 and above: You may include a client location on each line. The line is ignored for clients outside that location. Client locations are specified by % lines:

%lo:ipprefix

means that IP addresses starting with ipprefix are in location lo. lo is a sequence of one or two ASCII letters. A client is in only one location; longer prefixes override shorter prefixes. For example,

%in:192.168
%ex
+jupiter.heaven.af.mil:192.168.1.2:::in
+jupiter.heaven.af.mil:1.2.3.4:::ex

specifies that jupiter.heaven.af.mil has address 192.168.1.2 for clients in the 192.168.* network and address 1.2.3.4 for everyone else.


Re:tinydns: internal and external views? (1)

asland (26316) | more than 11 years ago | (#4652983)

Yes, you run multiple dns servers, one listening on the interface to the internal network, and one listening on the interface to the external network.

Re:tinydns: internal and external views? (0)

Anonymous Coward | more than 11 years ago | (#4652988)

I believe so. But you may want to check the documentation at the TinyDNS [tinyurl.com] website.

My dns servers already bugged. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4652959)

I typed in goatse.cx and i ended up on this page.

Developers, Developers, Developers! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4652962)

All your base are belong to us!!!!

Tinydns is a pain in the ass to install (0, Flamebait)

Anonymous Coward | more than 11 years ago | (#4652973)

And I don't buy that it's secure just "because DJB wrote it."

Use BIND 9. It works, it's secure, it supports DNSSEC, and doesn't have the bizantine architecture (read: clusterfuck) of tinydns.

Re:Tinydns is a pain in the ass to install (3, Interesting)

Geekboy(Wizard) (87906) | more than 11 years ago | (#4653166)

No, it's secure because no one has ever found a flaw in tinydns. He has a *cash* reward for anyone who can prove that it is flawed. No one has taken then money, in several years of it being offered.

Re:Tinydns is a pain in the ass to install (5, Funny)

ComaVN (325750) | more than 11 years ago | (#4653334)

Hey, this guy [timecube.com] offers $10,000.00 to anyone who can disprove his *AHEM* theory, and no-one has taken HIS money.

Re:Tinydns is a pain in the ass to install (0)

Anonymous Coward | more than 11 years ago | (#4653209)

DNSSEC? Now there is a clusterFsck. I can installed a working dns in 10 minutes with djbdns. That was the first time I had worked with DNS. Can you do that with BIND? I bet not.

Re:Tinydns is a pain in the ass to install (0)

Anonymous Coward | more than 11 years ago | (#4653342)

Which he has weaseled out of on a number of occasions to make it a running joke. It is also the slowest DNS server out there. I really don't see why people like it so much.

WHAT A BUNCH OF CRAP??? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4652980)

How hard is it to write a program that tells people that 'www.slashdot.org' = 66.35.250.150 using UDP port 53???

Idiots...

Re:WHAT A BUNCH OF CRAP??? (1)

Karamchand (607798) | more than 11 years ago | (#4653023)

uhm. you know there's more to do for a DNS server? Like reverse lookups? MX lookups? ......?
Not that easy as you might think! But - why didn't you write a fast, secure, simply ideal DNS server?

"I guess this is why i run tinydns." (4, Informative)

mickwd (196449) | more than 11 years ago | (#4652989)

Alternatively, you could update to the latest version of BIND.

From the advisory:

"BIND 9 was not affected by any of the vulnerabilities described in this advisory."

Troll submission (1)

Dammital (220641) | more than 11 years ago | (#4653102)

"I guess this is why i run tinydns."

BIND 9 has been available for TWO YEARS, Troll.

Re:Troll submission (2)

mickwd (196449) | more than 11 years ago | (#4653179)

Troll ???

Just to clarify: You do know the meaning of quotation marks, and you are referring to the poster of the original story, right ?

Re:Troll submission (0, Offtopic)

Dammital (220641) | more than 11 years ago | (#4653247)

My apology! By "submission" I meant the original story. Had I meant your comment, I would have said "post". I probably wasn't clear.

I followed up to your post because I was taking your point -- except that I added the "two years" reference. And of course called the submittor a troll.

Kind regards!

patches already available (5, Informative)

Anonymous Coward | more than 11 years ago | (#4652990)

linx pro [cjb.net] has more information on the exploit, including patches to fix it.

Does MS fix their vulnerabilities that fast? Judging by the number of klez variants in my inbox, I'd say "no".

Re:patches already available (2)

afidel (530433) | more than 11 years ago | (#4653288)

Klez was fixed before it was released. Just because the users don't patch doesn't mean that MS didn't supply one.

Re:patches already available (2)

ceejayoz (567949) | more than 11 years ago | (#4653330)

Does MS fix their vulnerabilities that fast?

Considering that according to the BIND history page [isc.org] BIND4 has been out since the 80s and BIND8 since 1997, I'd say this isn't exactly a glowing example of OSS's "quick fixes".

Don't slashdot ISC yet (3, Informative)

SpaFF (18764) | more than 11 years ago | (#4653000)

http://www.isc.org/products/BIND does NOT have the updated versions (4.9.11, 8.2.7, 8.3.4) that addresses these security issues posted yet (as of 1:16 CST). Perhaps slashdot should update the story once the tarballs become available.

In other news (5, Funny)

pheph (234655) | more than 11 years ago | (#4653005)

Another vulnerability has been found in Microsoft Windows 98...

Come on, Bind 9 has been out for some time, so don't flip out! [realultimatepower.net]

Newer major versions often drop features (2, Insightful)

yerricde (125198) | more than 11 years ago | (#4653227)

Another vulnerability has been found in Microsoft Windows 98...

I take that comment to imply: "Windows 98 Second Edition is too old to be supported; all users of Windows 98 Second Edition should upgrade to Windows XP Home Edition." The problem with upgrading from one major version of a product to the next just to fix a bug is that newer major versions will often drop useful features that an older version had. For instance, Windows XP Home Edition loses Windows 98's competent support for running proprietary applications designed for MS-DOS. In addition, XP Home loses the ability to run acceptably on a 133 MHz machine with 32 MB of RAM.

Does BIND 9 drop major features or require more hardware for a given level of service vs. BIND 8?

Re:Newer major versions often drop features (0)

Anonymous Coward | more than 11 years ago | (#4653332)

Does BIND 9 drop major features or require more hardware for a given level of service vs. BIND 8?

No, it is faster, more scalable, and more featureful. There's no reason anyone should still be running BIND 4 or 8.

Re:Newer major versions often drop features (2)

pheph (234655) | more than 11 years ago | (#4653336)

I think you are absolutely right... However, Windows 98 still has many many more vulnerabilities than Windows XP. You just need to balance security (read: newer) with useful (read: needed) features.

Did ISS tell bind maintainers? (4, Interesting)

spacey (741) | more than 11 years ago | (#4653012)

It was pointed out on the nylug-talk list that the advisory doesn't seem to include any info about whether nominum, paul vixie, or the ISC was notified about the bug.

Does anyone know if ISS did the right thing, or are they being big doo-doo-heads?

-Peter

Re:Did ISS tell bind maintainers? (5, Informative)

Black Art (3335) | more than 11 years ago | (#4653120)

ISS did not inform any of the Unix vendors.

They are pretty pissed about it.

Alan Cox's response was "Well we can all express our deep regret at the inability of the ironically named ISC to work with the internet and society in all the announces."

BTW, Bind 9 does not fix all of these probems and the fixed versions will be out next week.

This is not the first time that ISS has released information like this without informing the vendors ahead of time.

Re:Did ISS tell bind maintainers? (5, Insightful)

tekBuddha (546826) | more than 11 years ago | (#4653140)

It was mentioned on the FreeBSD-Security list this morning that ISS had informed vendors that they were going to go public with this advisory tomorrow and not today. So in answer to your question, Yes, the vendors have apparently been notified.

This however appears to be yet another situation where ISS has gone ahead and released an advisory before the vendors have actually had a chance to make patches available to the public.

This is supposed to be a security firm that is trying to assist the public in keeping their boxen secure? If so, I'm really scared of the firms that are out there really trying to do damage.

Re:Did ISS tell bind maintainers? (1)

kireK (254264) | more than 11 years ago | (#4653164)

Since when was ISS worried about how the community thought of them? But I bet ya that their sales reps will be using this vulnerability in OLD versions of bind to sell more product.Notice that the did not tell useres to move to Bind9.

Re:Did ISS tell bind maintainers? (3, Interesting)

Black Art (3335) | more than 11 years ago | (#4653340)

The message to the vendors came out at about 11pm.

The announcement to the public happened about nine hours later.

The vendors were blindsided by this.

Tips (5, Informative)

ekrout (139379) | more than 11 years ago | (#4653039)

[] Most smaller networks don't need a large (and dare I say buggy) installation of BIND.
[] May I suggest djbdns [freshmeat.net] rather than BIND? Its creator says "every step of the design and implementation has been carefully evaluated from a security perspective. The djbdns package has been structured to minimize the complexity of security-critical code. dnscache is immune to cache poisoning. It is advisable to use the package as a secure alternative to BIND."
[] May I suggest Dnsmasq [freshmeat.net], which is described by its creators as a "lightweight, easy to configure DNS forwarder designed to provide DNS (domain name) services to a small network where using BIND would be overkill".

Re:Tips (0)

Anonymous Coward | more than 11 years ago | (#4653091)

djbdns isn't an option for those of us that want to run free software, sorry.

Welcome to System Administration 101 (0, Flamebait)

ekrout (139379) | more than 11 years ago | (#4653127)

- Free
- Secure

Choose one.

Re:Welcome to System Administration 101 (0)

Anonymous Coward | more than 11 years ago | (#4653178)

Free software can't be secure?

Re:Welcome to System Administration 101 (0, Offtopic)

runderwo (609077) | more than 11 years ago | (#4653189)

I guess you don't use Postfix, PureFTPd, OpenSSH, BIND 9, or OpenBSD, for that matter. Since they are free, they cannot be secure.

Re:Welcome to System Administration 101 (1)

Uma Thurman (623807) | more than 11 years ago | (#4653215)

Ladies and gentlemen, we're witnesses to the birth of a little baby meme. I think this one's going to go really far.

Re:Welcome to System Administration 101 (1)

Uma Thurman (623807) | more than 11 years ago | (#4653246)

Oh, I spoke too soon. That baby was stillborn. But there's a fraternal twin:

1) Proprietary
2) Secure

Choose one.

Re:Welcome to System Administration 101 (1)

earlytime (15364) | more than 11 years ago | (#4653333)

d'oh! i modded with the wrong remark, this certainly isn't offtopic. hopefully posting this comment will unmod the modding.

Re:Tips (0)

Anonymous Coward | more than 11 years ago | (#4653300)

OMG your sig is pathetic.

Pah (0, Troll)

Anonymous Coward | more than 11 years ago | (#4653050)

Frankly, anyone still using BIND 4 deserves to get rooted.

Anyone still running BIND 8 should be given a good slap and told to upgrade.

Anyone running BIND 9, well done.

Re:Pah (0)

Anonymous Coward | more than 11 years ago | (#4653080)


Frankly, anyone still using BIND 4 deserves to get rooted.

The audited verion of BIND that comes with OpenBSD is 4.x. I'm not sure if this security problem affects it though.

TinyDNS mirror (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4653053)

can be found here [tinyurl.com].

www.nvnews.net has pulled parhelia review? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4653059)

www.nvnews.net has pulled parhelia review?

Where does the link go?

Re:www.nvnews.net has pulled parhelia review? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4653147)

Yeah! Following the discussion, the Parhelia showed off using LARGE resolutions whereas nVidias offerings sucked in comparison.

You don't say the supposed 128Mb bandwith of NV30 has started to show off _this_ way? PITA!

Or you could use bind 9... (5, Informative)

Anonymous Coward | more than 11 years ago | (#4653068)

It's not surprising that bind 4 and 8 have the same vulnerabilities - they're based on the same code base, after all. Bind 9 was 100% rewritten, is modular, and actually *checks its inputs*, avoiding buffer overruns and such.

It uses RFC-specified zone file format, it's extremely functional (internal/external views of DNS based on query source, TSIG authenticated DNS transactions, DNSSEC authenticated DNS records).

In the couple of years the bind 9 code has been out there, the only vulnerabilities it's had caused the server to shut itself down immediately, as it realised something was wrong with its input. That's likely to be it's only failure mode in the future - stick a wrapper around it that restarts it when it dies, and you'll be right as rain.

Passive Worm Potential... PATCH NOW (5, Insightful)

nweaver (113078) | more than 11 years ago | (#4653086)

The potential for a passive worm is actually fairly high, given that the exploit needs to come in response to a DNS query: The worm infects a DNS server, and waits for queries. It responds to those queries from other DNS servers by attempting to infect them.

The nasty parts: Enough people dual-use their DNS servers (serving as both authoritative master for outside and for their own lookups) that you could get lots of authoritative masters. It also does NOT scan.

It could be made even stealtier if the exploit, on failure, would still function. On success, it of course functions normally. This might be harder, but, if so, it would be really REALLY hard to detect such a worm.

It would take a bit of writing to get right, so there is a good window in which to patch your machines. So patch SOON.

Strawman worms (2)

AndroidCat (229562) | more than 11 years ago | (#4653187)

According to the article, exploiting these bugs will terminate the DNS. There's no mention of being able to infect the server. I'm not sure why the article mentions worms, other than the possibility of h4x0red Win boxes pounding on the bug.

Not So Strawman Worms (5, Informative)

nweaver (113078) | more than 11 years ago | (#4653343)

Two of the attacks are DoS: You crash the server, end of story. One, the buffer overflow, can potentially execute code.

The only "gotcha" in that exploit is that an attacker needs to control a DNS server which the victim DNS server queries. Thus it is a passive attack, the victim must query you, not the other way around.

That is why the attacker uses a passive worm: The worm infects a DNS server, which in addition to being the local DNS server, serves as the authoritative master DNS server for some domains. When another DNS server queries the infected authoritative master, the authoritative master's response is designed to compromise the requesting server.

This compromise is followed by a transfer of the worm code itself, and now the victimized server is now infected as well.

As I said, this doesn't scan, which makes it particularly nice and stealthy.

You could also make an active scanning worm as follow: There are 2 kinds of nodes, authoritative DNS servers and other DNS servers. If you infect an authoritative DNS server, the worm knows it. Otherwise, it knows the authoritative DNS server it was infected from.

The worm "scans" by sending DNS queries (ideally with forged from addresses) which will trigger a lookup from the known corrupted authoritative server. This can then go through the net, rather noisily, and infect all servers which accept remote queries. This process can be sped up considerably by looking through the local cache for a list of all DNS servers that the corrupted machine knows about. Rough guess? Less than an hour to infect everything which can listen to the net, and you still have the passive attack to get DNS machines behind firewalls etc.

The fortunate thing: Although the possible worms are either very fast (lots of vulnerable machines, topological speedup from using the cache) or very stealthy (no scanning at all, a contageon strategy), both techniques require a fair amount of BIND specific programming to develop and release: You need to not only craft the exploit, but keep bind running and transmit the exploit.

So no kiddiot can simply drop exploit code into scalper.c and get it to work, instead there is a considerable amount of programming needed. So we do have a significant time window to patch machines, but they do need to be patched because it is a very "worm friendly" exploit pattern.

Another Indian (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4653090)

The article says
"Credits: These vulnerabilities were discovered and researched by Neel Mehta of the ISS X-Force..."
Neel Mehta = Indian
Also, if you missed it, Microsoft to invest another $400 million in India.
Here it is: http://zdnet.com.com/2100-1106-965378.html [com.com]

In other news... (0)

Anonymous Coward | more than 11 years ago | (#4653143)

...sun rises in the East.

/. should be more precise with security flaws news (3, Informative)

rsd (194962) | more than 11 years ago | (#4653155)

Just old versions of bind,
Bind 4.x and 8.x are vulnerable to this.

Version 9, which is a complete rewrite from scratch
and the version that everyone running bind should be using,
does not suffer this security flaw.

Slashdot editors should take an extra care when posting
news like this to avoid FUD and unnecessary panic.

Havn't people learned yet? Don't use bind. (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4653161)

Havn't people learned yet? Don't use bind.

DJB Qmail, TDNS? tsarkon report editor zealots (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4653191)

If you think TinyDNS is any good. HAHAHAHAHAHAHA. HAHAHAHAHA. Oh man. HAHAHAHA. Michael you are such a tool. And you have to moderate this down. And you have to think. "I am superior, I know better than this AC, I am better."

But you are wrong.

DJB is a strange person. With a horrible license (must install in gay non standard directory that not ONE *nix dist uses, EVER) . Horribly feature deprived software and he LIES about awarding cash to those who exploit his software. Qmail is such a piece of trash. I could listen to an argument advocating postfix, but TinyDNS?

Roll your own or working with BIND. You didn't even read the advisory. I didn't see any exploit code, and ISC already patched the theoretical exploit.

So here we have a responsible vendor, a good, massive scalable solution to which we all owe a billion successful queries served, and you sit there and smarmily say "I use some strange non standard DNS server with like 10 other people and we are cool."

Who is to say beyond a doubt that if hundreds of millions of people used DJB's crap it wouldn't be a cornucopia of trash? Why don't people use stack guard CC? Why not chroot jail EVERYTHING?

Because it's mental masturbation. Good software is software that is fixed responsibly and quickly. Bad software has this Titanic unsinkable "design" to it. And when the kiddies root something like that its heaven - because no one uses it enough to notice or people think its infallible.

Michael, this is just another editorialization that serves as a testament to your wanna-be jobless sexless fat moronic self is a blithering moronic fool.

Go back to some broken distribution of Linux with Beta C libraries and broken Red Hat compilers. I would like not to have my FreeBSD be polluted further with this piece of garbage of a thread.

Michael, you also can't afford SCSI hard drives. And I laugh at that. Linux on IDE want a cheesy Mac zealot. You can't afford a crapintosh either.

What if you can't use (fill_in_the_blank)? (5, Insightful)

why-is-it (318134) | more than 11 years ago | (#4653196)

For me, it is not really an option to use a tinydns or any other DNS solution other than BIND. Upgrading to BIND9 is not really an option for me either. I work for a large multinational, and we have a lot of UNIX servers (Sun, IBM, and HP in terms of numbers). I get hardware and software support direct from the manufacturer, and if I install an application, or a version of an application that my vendor does not support, I am on my own. These 24-7 support contracts are important to us in being able to sell our services and maintaining our SLA's and availability targets. Those issues aside, I do not want to have to explain to the PHBs that we cannot get support on a particular problem because the application in question is not supported by Sun, or that IBM only supports version 3.4 and we run version 4.0.

So, it is all well and good if someone out there has the choice to install some other software, but keep in mind that it is not necessarily an option for everyone...

Re:What if you can't use (fill_in_the_blank)? (3, Insightful)

arkanes (521690) | more than 11 years ago | (#4653291)

What the fuck are you playing your vendor for if they won't provide fixes for known, proven, and public vulnerabilites? If thats your quality of service, are you really losing anything by giving up thier support and installing your own apps?

Solution: (1)

Dot.Com.CEO (624226) | more than 11 years ago | (#4653295)

Make the vendor aware of the problem. Send an email with a detailed explanation of the potential problem your company will experience when (not if) the script kiddies get easy tools to exploit it. Use the words bug, exploit and unsafe throughout the document. Send a couple of relevant links as well.

Most important of all, involve someone higher up at management, preferably puting them on the cc: of the mail you send. If you are responsible for the box, it is your ass on the line if things go wrong. By involving them, you put more pressure on the vendor. Be proactive, pass the problem to your vendor, rather than try to justify yourself when the inevitable happens.

Ever feel... (0)

Anonymous Coward | more than 11 years ago | (#4653252)

like many things posted here about security is actually about advertising? Right now, I have a feeling that this is not about talking about old versions of bind, but about pushing tinydns. After looking at the notice, that felt like ads for ISS. More so, since readint what the moron from ISS said in australia.

first post! (0)

Anonymous Coward | more than 11 years ago | (#4653278)

edit: damn.

Bind 9.2.1 (2, Insightful)

decarelbitter (559973) | more than 11 years ago | (#4653289)

Bind 9.2.1 has been out for a while. If you haven't upgraded yet consider letting someone who does know run your nameservers...

AIRLACE did it (0)

Anonymous Coward | more than 11 years ago | (#4653296)

http://developers.slashdot.org/comments.pl?sid=424 88&cid=4465167

AIRLACE claims to have maintained the BIND code base for a year. I bet she did it.

LDAPDNS baby! (1)

Anonymous Coward | more than 11 years ago | (#4653306)

http://www.nimh.org/code/ldapdns/

What's for dinner? (0)

Anonymous Coward | more than 11 years ago | (#4653325)

Well?

Why I LOVE Red Hat Network (3, Informative)

mcrbids (148650) | more than 11 years ago | (#4653351)

Knowing that this might be a vulnerability issue, I immediately logged into my main servers and typed, in each, "up2date -du --tmpdir=/home/tmpdir".

Before I even realized that this doesn't apply to me, (I'm using Bind 9) all the updates had been downloaded and applied.

And, I guess, in a week or so, I'll get an email from Red Hat letting me know that I should be running up2date again...

-Ben

AIRLACE can't code worth 541t (0)

Anonymous Coward | more than 11 years ago | (#4653366)

http://developers.slashdot.org/comments.pl?sid=424 88&cid=4465167
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...