D. J. Bernstein: > The subject line is correct exactly as stated. -DPARANOID does not > improve your computer's security. It has never improved anybody's > computer security. Confronted with evidence that widely-used BIND and NIS software wasn't vulnerable to a short TTL attack described in an earlier post, Bernstein presents a marginally different attack. This game could go on for a long time, but that would be a waste of everyone's time. The TCP Wrapper documentation is very explicit about the limitations of unauthenticated IP/DNS. One can fix rshd/rlogind against some IP/DNS-based attacks, but until IP/DNS with strong authentication are widely deployed, the security of such services will low, even when TCP Wrapped. > You've done enough damage. Admit your mistake and turn off -DPARANOID. I have resisted pressure to change this default for 7+ years. Now that people use tcpd access control for email, I'm reconsidering that decision - your friendly request notwithstanding. Wietse
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:40 PDT