Re: tcpd -DPARANOID doesn't work, and never did

From: Wietse Venema (wietseat_private)
Date: Mon Nov 09 1998 - 21:18:50 PST

Next message: Karl Hanmore: "Re: Several new CGI vulnerabilities"

Previous message: Erik Soroka: "Re: FoolProof for PC Exploit"
Maybe in reply to: D. J. Bernstein: "tcpd -DPARANOID doesn't work, and never did"
Next in thread: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

D. J. Bernstein:
> The subject line is correct exactly as stated. -DPARANOID does not
> improve your computer's security. It has never improved anybody's
> computer security.

Confronted with evidence that widely-used BIND and NIS software
wasn't vulnerable to a short TTL attack described in an earlier
post, Bernstein presents a marginally different attack.

This game could go on for a long time, but that would be a waste
of everyone's time.  The TCP Wrapper documentation is very explicit
about the limitations of unauthenticated IP/DNS.

One can fix rshd/rlogind against some IP/DNS-based attacks, but
until IP/DNS with strong authentication are widely deployed, the
security of such services will low, even when TCP Wrapped.

> You've done enough damage. Admit your mistake and turn off -DPARANOID.

I have resisted pressure to change this default for 7+ years.  Now
that people use tcpd access control for email, I'm reconsidering
that decision - your friendly request notwithstanding.

        Wietse

Next message: Karl Hanmore: "Re: Several new CGI vulnerabilities"
Previous message: Erik Soroka: "Re: FoolProof for PC Exploit"
Maybe in reply to: D. J. Bernstein: "tcpd -DPARANOID doesn't work, and never did"
Next in thread: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:40 PDT