BIND 9 has had a lot of DoS vulnerabilities because of its many asserts. (Addressing this is a goal of BIND 10, actually.)
But BIND 9 has had, as far as I know, zero remote code execution vulnerabilities. So the asserts are doing their job.
I have an open source solution. How about marking pieces of paper with a pen, and then having teams of human beings count them?
It's okay with me for election results to take an extra day or two if they wide open and monitored at every level by volunteers.
I love high tech as much as the next geek, but high tech solutions aren't always the best ones. (Especially when they're applied to problems that aren't technical but political)
A friend of mine said recently, "The real problem with Yucca Mountain is figuring out how to make a sign that will, hundreds of thousands of years in the future, no matter what language or symbols will be in use by the cultures that come after ours, still be able to clearly and unambiguously convey the concept: 'WARNING: In twenty years there's going to be nuclear waste here.'"
Thanks for the kind words about BIND and I'm sorry it didn't meet your needs this time. Please encourage your management to contact ISC and tell us about your choices and your experiences.
The only providers who should have received the patches earlier than today were a small group of our support customers who've contracted for advance notice of security issues. They were all told that this was a preliminary patch only, and to watch for betas with better performance--and that the patches were highly confidential and covered by nondisclosure agreements.
Your installation profile doesn't seem to match any of theirs, and in any case I hope they would have let us know before they eliminated BIND from their networks. If you are not one of our support customers, then I'm very concerned that you had the patch in your hands as early as you say you did. Partly because it means you only got a partial picture of the situation, and partly because it means someone violated our trust--and it's important that we know who, so we can emphasize to them that this is not a joke.
Can you please tell me where it was that you got the patch you tested?
The largest DLV repository that validates that the DNSKEYs belong to who they say they belong to (think Verisign-style verification), is run by isc.org.
(My employer, BTW.)
I'm a part of a DNSSEC monitoring project (called SecSpider). [...] This serves the same purpose as ISC's repo, but the data is collected in an orthogonal manner. We currently have DLV records for over 12000 zones, although we haven't directly verified the identity of any of them.
That's an intriguing idea, but it doesn't really serve the same purpose as ISC's DLV until you do verify identity. (Would UCLA's lawyers be comfortable with someone relying on your DLV record repository for, say, banking transactions?)
How in the world did you manage to get hold of the patches, test them, and deploy a competing product on a 90,000+ zone installation in the two hours between the patch's public release and your post? That's... really fast work.
Out of curiosity, what version of BIND were you running prior to the change, and on what OS/hardware?
It is true--and we acknowledged in the release announcments--that the initial security patches (9.3.5-P1, 9.4.2-P1, 9.5.0-P1) cause a significant performance hit on heavily-loaded systems.
There are further code optimizations that get performance roughly back to baseline, but we felt they were too extensive to release without putting them through a beta cycle.
Two beta releases, with the enhanced performance code, were published at the same time as the patches: BIND 9.5.1b1 and BIND 9.4.3b2; you can grab them now (um, for values of "now" that include "very soon"; one of our 10G fiber links picked an unfortunate moment to fail).
The remaining beta, BIND 9.3.6b1, will be released in a few days, because five releases at one time was already enough to juggle.
Unfortunately that's politically non-expedient. But now that this vulnerability is out there, maybe the political will can at last materialize.
The second-best solution is to deploy DNSSEC using DNSSEC Lookaside Validation (which means you get trust anchors from some other known site, not from the root zone). And that's available now.
The worst thing about DNSSEC is it's too damn complicated at present; there needs to be the equivalent of "one-click" zone signing. ISC (and others) are working on getting us closer to that.
The third-best solution is what's been done today. We just made it a lot harder to exploit the vulnerability--typically about 16000 times harder, depending on your configuration. There's a difference between "harder" and "impossible" though.
Every animal species on earth is shaped the way it is because it was an "efficient shape", in the sense of having some adaptive benefit. Elephants, lobsters, giraffes, sperm whales, turtles, ostriches, starfish, squid, snakes--every one of them is the result of just as many billions of years of evolution as we humans are. No doubt they all think of themselves as the "pinnacle of evolution", too.
The fact is, we look the way we look because there was a series of mutations that brought about a species capable of using tools and language, and it happened to occur in monkeys instead of flamingos.
And, good golly, I'm shocked that I momentarily forgot to mention the staggeringly great Stardance and its worthy sequel Starseed. (The third book, Starmind, I can take or leave.)
Spider's uneven, but when he's on, he's wonderful.
...since you asked, is Time Pressure, which is a companion to the almost-as-good Mindkiller. (I say "companion" instead of "sequel" because some time travel is involved, so the books are actually both sequels of each other. Doesn't much matter in which order you read them, but if you're particularly spoiler-averse, you should probably go with Mindkiller first.)
And the Callahan's Bar stories are terrific too, but they take a nosedive after the third book.
He's been saying the same thing for years now, and his data are, to say the very least, suspect. He ignores new technologies such as cellulosic ethanol, assumes the very least efficient methods of farming and of ethanol distillation, ignores the existence of crops that are more than an order of magnitude more productive per acre than corn, compares apples to oranges by neglecting to consider that fossil fuels also have an extraction cost, fails to take into account the energy saved from the free byproducts of ethanol production such as industrial-grade carbon dioxide... I could go on for a long time.
I don't know who funds Pimentel's research, but whoever it is it certainly seems to have a sizable PR budget, because his findings are always very well publicized, and the numerous studies that show the exact opposite, that ethanol has a significant postiive energy-return-on-investment, never seem to get nearly as much coverage.
The existence of massive government ethanol subsidies means that there's an incentive on the part of some interests--including some very well-funded ones--to distort the picture. I'm not a fan of the subsidies, but however stupid they may be politically and financially, and however much they may distort the marketplace and slow innovation... that says nothing at all about the energy balance of ethanol production. Science takes precedence over politics.
Disclosure: My nickname is Ethanol, and I'm a big fan of the stuff. But I chose the name, back when I was a chemistry student in college 20 years ago, because of its entertaining qualities when imbibed--not because I have any connection whatsoever to the ethanol industry. I don't.
However, I do also think ethanol is an excellent fuel, and after considerable review of the available data, I'm convinced Pimentel is wrong about it.
All we have to do now is find a way to get linux installed on these puppies and hook up a keyboard, and shopping carts will be an even more indispensible tool for homeless people than they already were.
It used to be that all the spam was telling me to "impress her with my huge new c0ck". Now it's just telling me to "impress her with a r0lex".
Neither one really speaks well of her, does it? But at least before there was still a certain animal physicality about the relationship. Now it's all about the shiny baubles.
I don't know... I just don't think this imaginary relationship is going to last. Maybe I should get back out there, start dating again. 'Course, before I can do that, I'll have to do something about this crippling arthritis of mine...
As a friend of mine suggested, if we port linux to run on these things, and work out some kind of wireless net access, shopping carts could become an even more versatile tool for homeless people than they already were.
There've been electric-powered planes for at least 25 years. Paul MacCready's team, the same ones who built the first human-powered airplane in the 1970s, built a solar-powered (and thus, obviously, electric) airplane called the Gossamer Penguid.
And six years ago, a team at the University of Stuttgart built this, a fully solar-powered self-launching motorglider (that is, an airplane which is intended to shut off its engine and glide once it reaches altitude).
Note that you could work around most of these problems by buying and using a laptop computer:
They have built-in batteries, and need no UPS.
They have built-in monitors (though they're small, and you still may wish to use an external one at times).
Their processors are usually slower than the current state of the art, but they're typically only a year or so behind.
A price differential of $300 will pay for itself in a year of continuous uptime, just from savings on power bills. (If we assume inflated power prices such as we're seeing now in California, and that the alternative is your current powerhog system, the payback period is only three months.)
Best of all... they're quiet.
The big drawback to laptops is you can't mess around with them to anything like the same extent. You're pretty much stuck with the same video card for the life of the computer, for example, and processor or memory upgrades are difficult, and *ix support can be spotty. But I find the tradeoffs well worthwhile.
What I find frustrating is that there's nothing in the world preventing a computer manufacturer from building a desktop system as power-frugal (and as quiet) as a laptop, but none of them do it. Grrr!
Actually, it is not to give them incentive to invent, it is to give them protection that once they invent something, someone can't just go and steal the idea.
Actually, it's to give inventors an incentive to publicize their inventions so that (after a lapse of time) the inventions will become public domain. That's the sole purpose, the raison d'etre. The alternative would be inventors keeping their ideas as trade secrets as the only possible defense against competition, and that would be worse for society as a whole because other inventors would then be unable to build on the work and advance the state of the art.
Problem is, the way patents are enforced makes it easy to start thinking of ideas as "property" that can be "stolen"--which is, if you really think about it, absurd. But we've all been mentally contaminated by this false notion of "intellectual property", and now people think that patents are based on some kind of god-given right to profit from whatever you happen to think of first at the expense of whomever happens to think of it second.
I've worked for SCO (including the Caldera interregnum) for coming on 15 years, and your description of the company's origin is just wildly, insanely wrong. SCO started out as a small consulting firm, and moved into the unix world when it took a contract from Microsoft to develop and package what was then known as Microsoft Xenix. And the company was founded by a father and son team, but "extremely wealthy"? Not.
Slashdot Mirror
BIND 9 has had a lot of DoS vulnerabilities because of its many asserts. (Addressing this is a goal of BIND 10, actually.) But BIND 9 has had, as far as I know, zero remote code execution vulnerabilities. So the asserts are doing their job.
He's the president of the company that's doing the work.
As my five-year-old son used to say when he was experimenting with profanity but hadn't gotten the hang of it yet, "Oh, for heaven's fuck."
That's not a "DNS flaw".
It's an OpenSSL bug that turned out to affect BIND.
I have an open source solution. How about marking pieces of paper with a pen, and then having teams of human beings count them?
It's okay with me for election results to take an extra day or two if they wide open and monitored at every level by volunteers.
I love high tech as much as the next geek, but high tech solutions aren't always the best ones. (Especially when they're applied to problems that aren't technical but political)
A friend of mine said recently, "The real problem with Yucca Mountain is figuring out how to make a sign that will, hundreds of thousands of years in the future, no matter what language or symbols will be in use by the cultures that come after ours, still be able to clearly and unambiguously convey the concept: 'WARNING: In twenty years there's going to be nuclear waste here.'"
Ah. Well, that's a relief, then, of sorts. :)
Thanks for the kind words about BIND and I'm sorry it didn't meet your needs this time. Please encourage your management to contact ISC and tell us about your choices and your experiences.
Thank you for your reply.
The only providers who should have received the patches earlier than today were a small group of our support customers who've contracted for advance notice of security issues. They were all told that this was a preliminary patch only, and to watch for betas with better performance--and that the patches were highly confidential and covered by nondisclosure agreements.
Your installation profile doesn't seem to match any of theirs, and in any case I hope they would have let us know before they eliminated BIND from their networks. If you are not one of our support customers, then I'm very concerned that you had the patch in your hands as early as you say you did. Partly because it means you only got a partial picture of the situation, and partly because it means someone violated our trust--and it's important that we know who, so we can emphasize to them that this is not a joke.
Can you please tell me where it was that you got the patch you tested?
The largest DLV repository that validates that the DNSKEYs belong to who they say they belong to (think Verisign-style verification), is run by isc.org.
(My employer, BTW.)
I'm a part of a DNSSEC monitoring project (called SecSpider). [...] This serves the same purpose as ISC's repo, but the data is collected in an orthogonal manner. We currently have DLV records for over 12000 zones, although we haven't directly verified the identity of any of them.
That's an intriguing idea, but it doesn't really serve the same purpose as ISC's DLV until you do verify identity. (Would UCLA's lawyers be comfortable with someone relying on your DLV record repository for, say, banking transactions?)
How in the world did you manage to get hold of the patches, test them, and deploy a competing product on a 90,000+ zone installation in the two hours between the patch's public release and your post? That's... really fast work.
Out of curiosity, what version of BIND were you running prior to the change, and on what OS/hardware?
It is true--and we acknowledged in the release announcments--that the initial security patches (9.3.5-P1, 9.4.2-P1, 9.5.0-P1) cause a significant performance hit on heavily-loaded systems.
There are further code optimizations that get performance roughly back to baseline, but we felt they were too extensive to release without putting them through a beta cycle.
Two beta releases, with the enhanced performance code, were published at the same time as the patches: BIND 9.5.1b1 and BIND 9.4.3b2; you can grab them now (um, for values of "now" that include "very soon"; one of our 10G fiber links picked an unfortunate moment to fail).
The remaining beta, BIND 9.3.6b1, will be released in a few days, because five releases at one time was already enough to juggle.
...is to sign the root and deploy DNSSEC.
Unfortunately that's politically non-expedient. But now that this vulnerability is out there, maybe the political will can at last materialize.
The second-best solution is to deploy DNSSEC using DNSSEC Lookaside Validation (which means you get trust anchors from some other known site, not from the root zone). And that's available now.
The worst thing about DNSSEC is it's too damn complicated at present; there needs to be the equivalent of "one-click" zone signing. ISC (and others) are working on getting us closer to that.
The third-best solution is what's been done today. We just made it a lot harder to exploit the vulnerability--typically about 16000 times harder, depending on your configuration. There's a difference between "harder" and "impossible" though.
Let's declare independence and have a separate country.
Come to think of it, I'm surprised no one's thought of that already.
Every animal species on earth is shaped the way it is because it was an "efficient shape", in the sense of having some adaptive benefit. Elephants, lobsters, giraffes, sperm whales, turtles, ostriches, starfish, squid, snakes--every one of them is the result of just as many billions of years of evolution as we humans are. No doubt they all think of themselves as the "pinnacle of evolution", too.
The fact is, we look the way we look because there was a series of mutations that brought about a species capable of using tools and language, and it happened to occur in monkeys instead of flamingos.
And, good golly, I'm shocked that I momentarily forgot to mention the staggeringly great Stardance and its worthy sequel Starseed. (The third book, Starmind, I can take or leave.)
Spider's uneven, but when he's on, he's wonderful.
...since you asked, is Time Pressure, which is a companion to the almost-as-good Mindkiller. (I say "companion" instead of "sequel" because some time travel is involved, so the books are actually both sequels of each other. Doesn't much matter in which order you read them, but if you're particularly spoiler-averse, you should probably go with Mindkiller first.)
And the Callahan's Bar stories are terrific too, but they take a nosedive after the third book.
Yes, by golly, I AM!
He's been saying the same thing for years now, and his data are, to say the very least, suspect. He ignores new technologies such as cellulosic ethanol, assumes the very least efficient methods of farming and of ethanol distillation, ignores the existence of crops that are more than an order of magnitude more productive per acre than corn, compares apples to oranges by neglecting to consider that fossil fuels also have an extraction cost, fails to take into account the energy saved from the free byproducts of ethanol production such as industrial-grade carbon dioxide... I could go on for a long time.
I don't know who funds Pimentel's research, but whoever it is it certainly seems to have a sizable PR budget, because his findings are always very well publicized, and the numerous studies that show the exact opposite, that ethanol has a significant postiive energy-return-on-investment, never seem to get nearly as much coverage.
The existence of massive government ethanol subsidies means that there's an incentive on the part of some interests--including some very well-funded ones--to distort the picture. I'm not a fan of the subsidies, but however stupid they may be politically and financially, and however much they may distort the marketplace and slow innovation... that says nothing at all about the energy balance of ethanol production. Science takes precedence over politics.
Disclosure: My nickname is Ethanol, and I'm a big fan of the stuff. But I chose the name, back when I was a chemistry student in college 20 years ago, because of its entertaining qualities when imbibed--not because I have any connection whatsoever to the ethanol industry. I don't.
However, I do also think ethanol is an excellent fuel, and after considerable review of the available data, I'm convinced Pimentel is wrong about it.
All we have to do now is find a way to get linux installed on these puppies and hook up a keyboard, and shopping carts will be an even more indispensible tool for homeless people than they already were.
It used to be that all the spam was telling me to "impress her with my huge new c0ck". Now it's just telling me to "impress her with a r0lex".
Neither one really speaks well of her, does it? But at least before there was still a certain animal physicality about the relationship. Now it's all about the shiny baubles.
I don't know... I just don't think this imaginary relationship is going to last. Maybe I should get back out there, start dating again. 'Course, before I can do that, I'll have to do something about this crippling arthritis of mine...
SCO vs. IBM sure looks a lot more reasonable now, doesn't it?
As a friend of mine suggested, if we port linux to run on these things, and work out some kind of wireless net access, shopping carts could become an even more versatile tool for homeless people than they already were.
There've been electric-powered planes for at least 25 years. Paul MacCready's team, the same ones who built the first human-powered airplane in the 1970s, built a solar-powered (and thus, obviously, electric) airplane called the Gossamer Penguid.
And six years ago, a team at the University of Stuttgart built this, a fully solar-powered self-launching motorglider (that is, an airplane which is intended to shut off its engine and glide once it reaches altitude).
The big drawback to laptops is you can't mess around with them to anything like the same extent. You're pretty much stuck with the same video card for the life of the computer, for example, and processor or memory upgrades are difficult, and *ix support can be spotty. But I find the tradeoffs well worthwhile.
What I find frustrating is that there's nothing in the world preventing a computer manufacturer from building a desktop system as power-frugal (and as quiet) as a laptop, but none of them do it. Grrr!
Actually, it is not to give them incentive to invent, it is to give them protection that once they invent something, someone can't just go and steal the idea.
Actually, it's to give inventors an incentive to publicize their inventions so that (after a lapse of time) the inventions will become public domain. That's the sole purpose, the raison d'etre. The alternative would be inventors keeping their ideas as trade secrets as the only possible defense against competition, and that would be worse for society as a whole because other inventors would then be unable to build on the work and advance the state of the art.
Problem is, the way patents are enforced makes it easy to start thinking of ideas as "property" that can be "stolen"--which is, if you really think about it, absurd. But we've all been mentally contaminated by this false notion of "intellectual property", and now people think that patents are based on some kind of god-given right to profit from whatever you happen to think of first at the expense of whomever happens to think of it second.
I've worked for SCO (including the Caldera interregnum) for coming on 15 years, and your description of the company's origin is just wildly, insanely wrong. SCO started out as a small consulting firm, and moved into the unix world when it took a contract from Microsoft to develop and package what was then known as Microsoft Xenix. And the company was founded by a father and son team, but "extremely wealthy"? Not.