Bugtraq mailing list archives
Re: tcpd -DPARANOID doesn't work, and never did
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Tue, 10 Nov 1998 00:18:50 -0500
D. J. Bernstein:
The subject line is correct exactly as stated. -DPARANOID does not improve your computer's security. It has never improved anybody's computer security.
Confronted with evidence that widely-used BIND and NIS software wasn't vulnerable to a short TTL attack described in an earlier post, Bernstein presents a marginally different attack. This game could go on for a long time, but that would be a waste of everyone's time. The TCP Wrapper documentation is very explicit about the limitations of unauthenticated IP/DNS. One can fix rshd/rlogind against some IP/DNS-based attacks, but until IP/DNS with strong authentication are widely deployed, the security of such services will low, even when TCP Wrapped.
You've done enough damage. Admit your mistake and turn off -DPARANOID.
I have resisted pressure to change this default for 7+ years. Now that people use tcpd access control for email, I'm reconsidering that decision - your friendly request notwithstanding. Wietse
Current thread:
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- <Possible follow-ups>
- Re: tcpd -DPARANOID doesn't work, and never did Dave Barr (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 09)
- Re: Several new CGI vulnerabilities Randal Schwartz (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Darren Reed (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Greg A. Woods (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Jim Dennis (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 11)