Bugtraq mailing list archives

Re: tcpd -DPARANOID doesn't work, and never did

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Tue, 10 Nov 1998 00:18:50 -0500


D. J. Bernstein:

The subject line is correct exactly as stated. -DPARANOID does not
improve your computer's security. It has never improved anybody's
computer security.


Confronted with evidence that widely-used BIND and NIS software
wasn't vulnerable to a short TTL attack described in an earlier
post, Bernstein presents a marginally different attack.

This game could go on for a long time, but that would be a waste
of everyone's time.  The TCP Wrapper documentation is very explicit
about the limitations of unauthenticated IP/DNS.

One can fix rshd/rlogind against some IP/DNS-based attacks, but
until IP/DNS with strong authentication are widely deployed, the
security of such services will low, even when TCP Wrapped.

You've done enough damage. Admit your mistake and turn off -DPARANOID.


I have resisted pressure to change this default for 7+ years.  Now
that people use tcpd access control for email, I'm reconsidering
that decision - your friendly request notwithstanding.

        Wietse

Current thread:

Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- <Possible follow-ups>
- Re: tcpd -DPARANOID doesn't work, and never did Dave Barr (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 09)
  - Re: Several new CGI vulnerabilities Randal Schwartz (Nov 09)
  - Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
  - Re: tcpd -DPARANOID doesn't work, and never did Darren Reed (Nov 10)
  - Re: tcpd -DPARANOID doesn't work, and never did Greg A. Woods (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Jim Dennis (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 10)
  - Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 11)