Forgot your password?
typodupeerror

Comment: Re:djbdns (Score 1) 144

by Red Midnight (#35296794) Attached to: High Severity BIND Vulnerability Advisory Issued

Perhaps you've heard of IPv6 [snip]

Perhaps you've heard of turd polishing?

Find something that supports IPv6 that isn't a security nightmare. They exist. Isn't that your job as a netadmin, anyway? It's because of lazy-assed admins that keep following turds like BIND -- religiously -- that it remains #1 in market share when it should have been kicked to the curb long ago for being the bloated, slow dog that it is.

And I think I've already made my point about the relative easy[sic] [snip]

Security isn't always easy. You've made your deal with devil. Tell me all about it when he calls the tune and your BIND box gets rooted on a weekend or while you're on vacation.

Even if you *did* have to do something custom for a BIND alternative, you only have to do it once and never worry about it again. You make it sound like you have to write the daemon yourself from scratch. Lazy.

Enjoy your patch cycle and watching over your shoulder while I enjoy restful sleep.

Comment: Re:djbdns (Score 1) 144

by Red Midnight (#35295584) Attached to: High Severity BIND Vulnerability Advisory Issued

The most interesting bit with the whole 'X is more secure and the old dinosaur programs" is that most of the new rewrites have the same deadlock or race conditions but they never get fixed. Sendmail and bind have plenty of OS work arounds in their code because they are needed to keep the whole system secure.

Joel Spolsky (the "Joel on Software" guy) advocates never throwing out the code and starting from scratch. Perhaps that's true in most cases, but not with BIND and any BIND derivatives.

IIRC the ISC tried that with BIND 9. Supposedly a rewrite, but I've read opinions that they imported a lot of the old code anyway. It doesn't really matter.

Sometimes you have to lose the old mindset and start with fresh eyes and a new attitude. Go back to basics and follow the KISS rule. DJB, whether you like him or not, did just that.

Part of the problem holding people back is the attitude that they need to retain all the old obscure features. I'm not interested in having a supposedly 'secure' way of transferring zone data when it becomes another vector for attack. I'll take good old ssh/scp, thanks.

Another BIND example I vaguely remember is it had lots of cool ways of logging information. Channels I think it's called. Wow, I could log various events (even security!) to different channels and different files... whatever. Having a secure DNS server in the first place removes the need for a lot of that crap. And seriously, do people actually view their logs to see who is querying their DNS server for what? It's masturbation that ranks up there with caring about who pinged you.

Whether you choose djbdns or an alternative doesn't matter. Just get something with a good security track record that moves away from the old (broken) model. Not to mention using software from a company, ISC, that has some bizarre disclosure policy of revealing fixes to paying clients first, then to the great unwashed 30 days later. I don't know if they still do that, but c'mon, that's a first clue there is something seriously wrong.

I honestly think BIND users are seriously misguided. How many times do you have to poke a stick in your eye before you stop? It was Marcus Ranum that first wrote about the idea of "not playing catch-up" with patches many years ago, and it's not just BIND he or I are referring to.

Comment: Re:djbdns (Score 1) 144

by Red Midnight (#35294226) Attached to: High Severity BIND Vulnerability Advisory Issued

What a load of bullshit.

I don't know about you, I just want to sleep at night not worrying about any exploit du jour, and that definitely includes BIND.

Let me tell you how to update djbdns fast:

1. ssh to your slave.
2. scp your 'data' file.
3. run 'make'

You're seriously going to be a BIND apologist because you can't take 30 seconds to ssh/scp a file?

If you find yourself making DNS changes so often that this is a problem, take the time to automate it and focus on what you're doing, not going down some shit-happy path towards Kerberos enlightenment. Or figure out why you have to keep changing DNS records so often and come up with a better method.

I don't give a rat's ass about all the extra bells and whistles that BIND offers. If you don't need 'em, leave 'em. Simplicity is good for security. I just want my servers to answer queries, and not get DoS or hacked.

djbdns users are laughing at you right now. Yet another BIND problem, whether it's serious or not, and you're all in a tizzy to get the patch. How many times have you walked this path in the last 9 years? It's > 0. How many times have djbdns users worried about the latest patch for the latest problem? Exactly zero.

As for your last point, explaining to your boss, try this one:

10. Explain to your boss that you're not working on 'your project' because you're busy pissing around patching software that has a piss-poor security track record in a critical role. And that you must always be on the watch for patches. Then performing the patches/upgrading the software. Lather, rinse, repeat.

I guarantee that you spend more time patching your BIND crap (and worrying about it) than I spend scp'ing a file.

Sleep well.

+ - poll suggestion

Submitted by Red Midnight
Red Midnight (1440977) writes "How do you pronounce "SQL"?
- sequel
- squirrel
- ess-queue-elle
- NoSQL you insensitive clod
(plus whatever you can think of..)"
Security

+ - Bug in latest Linux gives untrusted users root-> 1

Submitted by Red Midnight
Red Midnight (1440977) writes "Theo De Raadt offered these kind words on the OpenBSD misc mailing list:

If anyone wants a choice quote from me about the recent Linux holes,
this is what I have to say:

        Linus is too busy thinking about masturabating monkeys, he doesn't
        have time to care about Linux security.

For the record, this particular problem was resolved in OpenBSD a
while back, in 2008. We are not super proud of the solution, but it
is what seems best faced with a stupid Intel architectural choice.
However, it seems that everyone else is slowly coming around to the
same solution."

Link to Original Source

Comment: This entire conversation is rediculous (Score 4, Insightful) 354

Why are we even talking about this? The prof was either a complete idiot (and should put his Ph.D. back in the cereal box he got it from) or intentionally broke the law as some act of defiance. What is unclear? He knows he's working on a "secret" project used by the military. He probably got told 6 ways through Sunday he can't talk about it. And he goes to jail because he did what he was told to not do. To say he should not get jail time, or that he's from an academic world, defies logic and COMMON SENSE. Gee, this is a secret military project, I think I'll not only take the data/laptop to China, but I'll share it with Chinese and Iranian students. Gimme a break. It makes no sense. It's much more likely, IMHO, that he was giving a one-finger salute to the US. Even if he weren't, he's a moron, and ignorance of the law is not a valid defence.
The Media

BBC's iPlayer Chief Pushes Tiered Charging For ISPs 172

Posted by timothy
from the if-isp-bills-looked-like-phone-bills dept.
rs232 writes with a link to a story at The Register which begins: "The executive in charge of the BBC iPlayer has suggested that internet users could be charged £10 per month extra on their broadband bill for higher quality streaming." The article suggests (perhaps optimistically) that "after years of selling consumers pipes, not what they carry, [tiered, site-specific pricing] would be tough to pull off."

Swap read error. You lose your mind.

Working...