Paranoia(?) and Info

Well, it’’s been a busy couple of weeks. Things we should all be aware of:

  • J.ROOT Server has moved. This means all of you who managed your own DNS servers should update the named.root (db.root) file on your servers. An updated file is available at ftp.internic.net/domain/named.root
  • Another major series of security vulnerabilies have been discovered in Bind versions 4 and 8 (see CERT Advisory CA-2002-31). Basically, the solution is to upgrade to Bind 9.2.1. Note: We had a lot of problems getting 9.2.1 to run on one of our older Solaris boxes (LWP errors) and had to re-compile without threading support. You can get 9.2.1 from the ISC.org Site

    • Meanwhile, our governmental leaders have been busy trying to fix what is not broken. A series of last minute additions to the Homeland Security Bill have strengthened penalties against “hackers” and allow carriers to become snooping agents of federal law enforcement. Additionally, the bill now encourages software manufactures to report security flaws by ensuring confidentiality. The bill goes so far as to preempt Freedom of Information Act (FOIA) requests. Although the privacy issues raised by these addtionsto the bill are frightening, and there are several good resources to get involved in these issues (see CDT for example), this notion that secrecy is equivenlent to security in computer systems is just asinine. As a terrorist or hostile agent it would be far easier for me to find a undocumented security bug and exploit it, then to use a known bug which administrators have knoweldge of, and have patched or adjusted for. The greater problem is that large software companies (such as Microsoft) are already discouraged from releasing bug reports, due to adverse reactions in the market place — after all who really believes they can run a secure website on IIS nowadays — and to allow them to hide security holes within the government gives them an additional shield against criticism and does not allow the bug to be fully explored - most bugs are not fully fixed in the first patch release, and many fixes have relied on users in the wild to pinpoint all possible exploits within a given bug. Additionally, this type of provision creates two classes of operators — those in the know (presumebly Government systems) and the rest of us. How can we, as ops, trust any software provider — or goevernment agency — who is aware of insecurities in our systems, but won”t share that information with us? I guess Orwell was right: “War is peace. Freedom is slavery. Ignorance is strength.

    This entry was posted by steve on Friday, November 15th, 2002 at 6:47 pm and is filed under Internet, Politics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    No Comments

    Be the first to comment on this entry.

    Have your say

    Fields in bold are required. Email addresses are never published or distributed.

    Some HTML code is allowed:
    <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
    URIs must be fully qualified (eg: http://www.domainname.com) and all tags must be properly closed.

    Line breaks and paragraphs are automatically converted.

    Please keep comments relevant. Off-topic, offensive or inappropriate comments may be edited or removed.

    1. Random Quote

      If Stupidity got us into this mess, then why cant it get us out?
      Will Rogers

    2. Tag Cloud

    3. RSS ONI News

    4. Meta

    5. The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.

    6. bandwidth provided by onShore