This isn't an SMTP issue, it's a DNS issue. If you own your domain, then point or re-point your MX records wherever you want. It isn't rocket science...
I think the concensus in the security community is that chroot()'ing is a waste of time if you're still running as root in the chroot jail.
Fortunately, BIND can run chroot()'ed and unprivileged...
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
No, use BIND *intelligently* instead
on
New Linux Worm
·
· Score: 2
It's unfair to compare BIND 8, which still carries a lot of code baggage from the 80's and early 90's ("buffer overflow? what's that?") to djbdns. A better comparison is between BIND 9, which is a total rewrite (released but still undergoing some stabilization and optimization tweaks), and djbdns. Especially note the standards conformance. DJB implements whichever standards happen to take his fancy, and just ignores the rest. Charming. And BIND 9 was written to be totally multi-threaded. That's a lot of "heavy lifting", code-wise. I doubt very much that djbdns will be able to scale as well as the finished version of BIND 9 will.
As for the latest (January 29) vulnerability (TSIG), and the worm that now exploits it, this is just yet another reason to run "named" unprivileged and chroot()'ed, and to keep up to date with advisories and patches...
As for the "$500 cash reward" for finding a security hole in djbdns, don't forget to read the fine print in the guarantee: "My judgment is final as to what constitutes a security hole in djbdns". Feh!
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
Duh! Any nameserver needs to bind to a reserved port (53) so it needs to have superuser privileges at least part of the time. This makes it just a teensy bit different from your average, garden-variety "simple database lookup utility".
The ability to run BIND chroot'ed and/or as a non-privileged user after the bind() call has been available for some time now.
Perhaps you need to familiarize yourself with the case. This judge did not outlaw DeCSS itself, but the mere linking to a site which contained DeCSS source code. This is a slippery slope. If this stands as precedent, then who's to say the next DeCSS case won't go to 2 levels of indirection (outlawing links to sites with links to DeCSS), or 3 levels, or more. Eventually, the entire Net could technically be considered in violation of DMCA, and the studios could shut down any site they felt like, whenever they felt like it.
Not to mention that we have tradition of Free Speech here, and moving the hosting of "illegal" speech overseas is just knuckling under to the evil instead of confronting and defeating it. As they say, the price of liberty is eternal vigilance. Occasionally this means litigation...
I think you're confusing addressing issues with access issues. You can firewall off any devices you want whether you use NAT or not, but with NAT you incur all of the penalties of having to muck with the headers of every packet. Also, when you use global addresses, it gives you the option of creating extranets without having to drastically re-address devices.
Once IPv6 opens up the address space, I think whatever remaining legitimate reasons exist for using NAT will quickly melt away.
In the Quake II speed-run, they used some invisible trigger left over from debugging to skip 4 levels. I have no problem with level-skipping for "optional" levels (like the secret levels), and I can accept the systematic avoidance of invisible triggers which are intended to slow down the player's progress (by closing doors, blowing up bridges, activating lasers, etc.), but to actually activate one which was obviously never intended to be used in normal gameplay, goes over the line, in my opinion. I say "cheat!".
(Besides, I wanted to see how they'd manage those 4 levels:-)
The article didn't actually say that the cracker caused a month of downtime. From what I've seen posted here, it appears that M-Net just seized the occasion to implement some overdue upgrades.
Perhaps the author of the article could have made this a little more clear...
Why do you find it a "highly unlikely contention"? I was on M-Net in the mid to late 80's, and it was already firmly established by then. Of course, they only had modem/UUCP connectivity at the time. Not nearly as easy to hack as today's technologies.
Can't speak to their recent security practices, since I haven't been on in years (like, for instance, the entire decade of the 90's!)
Oh, puh-leeze! In 1985 it was far from obvious that Intel would dominate the market for desktop CPU's. The architecture of the 386 was really ugly compared to the 680x0 series and any Unix-ish port would have been crippled by it. Moreover, there wasn't any perceived rush to "beat" MS-DOS to the desktop since no-one really knew back then how big and monopolistic Microsoft would become.
Howzabout you make some hardware/software predictions today, and we'll check back in 15 years and see how accurate they were? This business doesn't lend itself to easy prognostication.
So Bill Gates says, basically, "Love Bug was caused by a lack of innovation, split MicroSoft apart and you'll stifle innovation, therefore splitting MicroSoft up will cause more Love Bugs".
Huh?
Those of us who work with security and have done application work before, are doing a massive double-take on this syllogism (or at least its premises), since it seems 180 degrees opposite to reality: it was, after all the innovation of MicroSoft application developers that made Outlook so vulnerable to a VBS-based worm, and of course it was the innovation of the worm creator which caused all of this trouble in the first place. Lack of innovation isn't the problem here -- we already have innovation up to our eyeballs. Arguably, innovation caused, more than prevented Love Bug.
What's needed is not more innovation but accountability. Innovation without accountability is just reckless. Virus creators keep doing what they are doing because they don't have any accountability (or at least perceive this to be the case). Similarly, MicroSoft in its monopolistic perch apparently never perceived that they would be held accountable for their predatory, playground-bully practices. But now, thanks to the Justice Department et al they are. Accountability at last. Accountability for their sloppy software design decisions is yet to come.
So, as Our Friend Bill continues to push his "don't let the government stifle our innovation!" PR campaign, hopefully in the weeks and months ahead we'll all keep in mind how innovative the Love Bug worm was, and this will be a constant reminder that, as usual, Bill is only telling half of the story.
Slashdot Mirror
Don't you agree that
is a little too awkward to deal with, even for JonKatz?Fortunately, BIND can run chroot()'ed and unprivileged...
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
As for the latest (January 29) vulnerability (TSIG), and the worm that now exploits it, this is just yet another reason to run "named" unprivileged and chroot()'ed, and to keep up to date with advisories and patches...
As for the "$500 cash reward" for finding a security hole in djbdns, don't forget to read the fine print in the guarantee: "My judgment is final as to what constitutes a security hole in djbdns". Feh!
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
The ability to run BIND chroot'ed and/or as a non-privileged user after the bind() call has been available for some time now.
Please provide specifics on these alleged security holes in BIND 9. Thanks.
Not to mention that we have tradition of Free Speech here, and moving the hosting of "illegal" speech overseas is just knuckling under to the evil instead of confronting and defeating it. As they say, the price of liberty is eternal vigilance. Occasionally this means litigation...
Once IPv6 opens up the address space, I think whatever remaining legitimate reasons exist for using NAT will quickly melt away.
In the Quake II speed-run, they used some invisible trigger left over from debugging to skip 4 levels. I have no problem with level-skipping for "optional" levels (like the secret levels), and I can accept the systematic avoidance of invisible triggers which are intended to slow down the player's progress (by closing doors, blowing up bridges, activating lasers, etc.), but to actually activate one which was obviously never intended to be used in normal gameplay, goes over the line, in my opinion. I say "cheat!".
(Besides, I wanted to see how they'd manage those 4 levels :-)
Perhaps the author of the article could have made this a little more clear...
Can't speak to their recent security practices, since I haven't been on in years (like, for instance, the entire decade of the 90's!)
Howzabout you make some hardware/software predictions today, and we'll check back in 15 years and see how accurate they were? This business doesn't lend itself to easy prognostication.
DC Airbag
Huh?
Those of us who work with security and have done application work before, are doing a massive double-take on this syllogism (or at least its premises), since it seems 180 degrees opposite to reality: it was, after all the innovation of MicroSoft application developers that made Outlook so vulnerable to a VBS-based worm, and of course it was the innovation of the worm creator which caused all of this trouble in the first place. Lack of innovation isn't the problem here -- we already have innovation up to our eyeballs. Arguably, innovation caused, more than prevented Love Bug.
What's needed is not more innovation but accountability. Innovation without accountability is just reckless. Virus creators keep doing what they are doing because they don't have any accountability (or at least perceive this to be the case). Similarly, MicroSoft in its monopolistic perch apparently never perceived that they would be held accountable for their predatory, playground-bully practices. But now, thanks to the Justice Department et al they are. Accountability at last. Accountability for their sloppy software design decisions is yet to come.
So, as Our Friend Bill continues to push his "don't let the government stifle our innovation!" PR campaign, hopefully in the weeks and months ahead we'll all keep in mind how innovative the Love Bug worm was, and this will be a constant reminder that, as usual, Bill is only telling half of the story.
DC AirBag