20 Most Critical Internet Security Vulnerabilities
The new 20 Most Critical Internet Security Vulnerabilities updated list just came out: http://www.sans.org/top20/ I was shocked to read the following on another list: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Big suprise that BIND is at the top of the UNIX list :P They even mentioned it by name unlike the horrible sendmail which they just lumped in with the other buggy mail programs. This proves once again that absolutely ANY DNS server is better than BIND. Even Microsoft's." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Are Sendmail and BIND as bad as he implies or do I take this as the grumblings of an uninformed person? Or is it just a matter of vulnerability only if one does not take proper care in the configuration phase? I find it hard to believe that anything MS produces may be secured to a superior level of a UNix/Linux app. -- Thanks! & 73, doc kd4e West Central Florida 100% Linux. Suse 9.1 Drake, Hallicrafters, Heathkit, TenTec, Yaesu Radio Life: http://www.gospelcom.net/twr/ Linux-Incompatible hardware is defective! USA Pres. Election 2004: http://www.rnc.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Sat, Oct 09, 2004 at 05:15:47PM -0400, doc wrote: : : The new 20 Most Critical Internet Security Vulnerabilities updated : list just came out: http://www.sans.org/top20/ : : I was shocked to read the following on another list: : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : "Big suprise that BIND is at the top of the UNIX list :P : They even mentioned it by name unlike the horrible sendmail which : they just lumped in with the other buggy mail programs. This proves : once again that absolutely ANY DNS server is better than BIND. Even : Microsoft's." : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Which list? : Are Sendmail and BIND as bad as he implies or do I take this : as the grumblings of an uninformed person? : : Or is it just a matter of vulnerability only if one does not : take proper care in the configuration phase? Sounds like grumblings from a troll with a personal grudge against BIND. http://www.sans.org/top20/#u1 Although the BIND development team has historically been quick to respond to and/or repair vulnerabilities, an excessive number of outdated, mis-configured and/or vulnerable servers still remain in production. : I find it hard to believe that anything MS produces may be : secured to a superior level of a UNix/Linux app. Q: How do you secure a Windoze machine? A: Turn it off.
doc
Are Sendmail and BIND as bad as he implies or do I take this as the grumblings of an uninformed person?
I'd recommend asking on suse-security as it's the far better place to get qualified answers to security topics. Philipp
On Sat, 2004-10-09 at 13:15, doc wrote:
The new 20 Most Critical Internet Security Vulnerabilities updated list just came out: http://www.sans.org/top20/
I was shocked to read the following on another list: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Big suprise that BIND is at the top of the UNIX list :P They even mentioned it by name unlike the horrible sendmail which they just lumped in with the other buggy mail programs. This proves once again that absolutely ANY DNS server is better than BIND. Even Microsoft's." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Are Sendmail and BIND as bad as he implies or do I take this as the grumblings of an uninformed person?
Yes they are.
Or is it just a matter of vulnerability only if one does not take proper care in the configuration phase?
In some cases, yes.
I find it hard to believe that anything MS produces may be secured to a superior level of a UNix/Linux app.
I agree. We run djbdns, rbldns, qmail & VisualOfiice. Very sweet. /Dee
-- Thanks! & 73, doc kd4e West Central Florida 100% Linux. Suse 9.1 Drake, Hallicrafters, Heathkit, TenTec, Yaesu Radio Life: http://www.gospelcom.net/twr/ Linux-Incompatible hardware is defective! USA Pres. Election 2004: http://www.rnc.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 9 Oct 2004 at 17:15, doc wrote:
Date sent: Sat, 09 Oct 2004 17:15:47 -0400
From: doc
The new 20 Most Critical Internet Security Vulnerabilities updated list just came out: http://www.sans.org/top20/
I was shocked to read the following on another list: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Big suprise that BIND is at the top of the UNIX list :P They even mentioned it by name unlike the horrible sendmail which they just lumped in with the other buggy mail programs. This proves once again that absolutely ANY DNS server is better than BIND. Even Microsoft's." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Are Sendmail and BIND as bad as he implies or do I take this as the grumblings of an uninformed person?
Or is it just a matter of vulnerability only if one does not take proper care in the configuration phase?
I find it hard to believe that anything MS produces may be secured to a superior level of a UNix/Linux app.
Note that these are the top ten security vulnerablilities for -each- of Windows and Unix. Presenting it this way makes it look like their equal, but if the presentation was a single list of the top 20 then I suspect some of the Unix ones wouldn't be in the list at all, and also that most of the ones still in it would be in the lower half. Also, I suspect there is a problem in that mis-confiugation and program bugs are mixed in together. While the results may be the same, the causes and solutions to each problem are vastly different. Alan Lenton -- http://www.ibgames.net/alan Registered Linux user #6822 http://counter.li.org Winding Down - Weekly Tech Newsletter - subscribe at http://www.ibgames.net/alan/winding/mailing.html
On Sun, 2004-10-10 at 03:26, alan@ibgames.com wrote:
On 9 Oct 2004 at 17:15, doc wrote:
{snip}
The new 20 Most Critical Internet Security Vulnerabilities updated list just came out: http://www.sans.org/top20/
I was shocked to read the following on another list: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Big suprise that BIND is at the top of the UNIX list :P They even mentioned it by name unlike the horrible sendmail which they just lumped in with the other buggy mail programs. This proves once again that absolutely ANY DNS server is better than BIND. Even Microsoft's." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Are Sendmail and BIND as bad as he implies or do I take this as the grumblings of an uninformed person?
Or is it just a matter of vulnerability only if one does not take proper care in the configuration phase?
I find it hard to believe that anything MS produces may be secured to a superior level of a UNix/Linux app.
Note that these are the top ten security vulnerablilities for -each- of Windows and Unix. Presenting it this way makes it look like their equal, but if the presentation was a single list of the top 20 then I suspect some of the Unix ones wouldn't be in the list at all, and also that most of the ones still in it would be in the lower half.
Leaving aside the MS ones, we ought to look at the *nix ones, primarily. Surely we can address some of those concerns.
Also, I suspect there is a problem in that mis-confiugation and program bugs are mixed in together. While the results may be the same, the causes and solutions to each problem are vastly different.
I agree. I was a little surprised to see nfs listed as a security vulnerability. I use this on my home network, though I'll most likely be switching over to samba shares for Linux clients as well as MS clients, when I get the time and energy. I'm trying to remember the app for *nix that boasts that it's the most secure, IIRC that is true until users actually need to configure it, then it's only as secure as the configuration. I suppose this goes to programming logic\design.
participants (6)
-
alan@ibgames.com
-
doc
-
Eugene
-
Mike McMullin
-
Philipp Thomas
-
W.D.McKinney