to somthing called DNS poison [google.com]. Why? Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Hell, DNS was not even designed for such a large internet. The original DNS implementors were bad programmers and designers.
BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.
Still most people use BIND for two reasons: no one wants
>Until a true open source alternative to BIND appears, we're stuck with it.
By "true alternative" do you mean it has to be GPLable?
Get real. djbdns' source is 100% available for you to look at and patch to your hearts content. If you find an error, send a fix to DJB and he'll add it after review. He'll even give you $500 [cr.yp.to] as a reward for your hard work. Find me a GPL program that makes a
The $500 guantee is worthless. How many hours do you think it takes to audit the djbdns source code? Anything more than 50, and you'd only need to make $10 an hour at your current job to make it a very unprofitable way to spend your time.
(Also: Who judges the "entrants" for the $500 prize? That's right, DJB does, and there are no formal rules as to exactly what qualifies as a security bug).
No, it is worth something. If his software wasn't secure, offering the guarantee would have been an extremely arrogant move. DJB is arguably enough of an asshole that I suspect that there are numerous people who would go out of their way to find security holes in his guaranteed software, just to spite him.
No, it is worth something. If his software wasn't secure, offering the guarantee would have been an extremely arrogant move. Guess what? DJB is extremely arrogant (as many clever people tend to be).
DJB is arguably enough of an asshole that I suspect that there are numerous people who would go out of their way to find security holes in his guaranteed software, just to spite him.
You failed to answer my point about who gets to judge the "entrants" and the rules of the contest.
You failed to answer my point about who gets to judge the "entrants" and the rules of the contest.
It's irrelevent to my contradiction of your statement, "The $500 guantee is worthless."
Look, it's a simple matter of economics: Auditing code is mostly tedious and there are sufficiently many ways of earning much more money (and with a guaranteed payoff!) auditing code that no amount of spite is worth it.
One matter of economics you're not considering is that value and worth are not equivalent to monetary
90% of the internet is valnerable ... (Score:4, Interesting)
BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.
Still most people use BIND for two reasons: no one wants
Re:90% of the internet is valnerable ... (Score:3, Interesting)
Re:90% of the internet is valnerable ... (Score:4, Informative)
Incorrect, it is open source.
It isn't GPL.
There's a big difference.
>Until a true open source alternative to BIND appears, we're stuck with it.
By "true alternative" do you mean it has to be GPLable?
Get real. djbdns' source is 100% available for you to look at and patch to your hearts content. If you find an error, send a fix to DJB and he'll add it after review. He'll even give you $500 [cr.yp.to] as a reward for your hard work. Find me a GPL program that makes a
$500 is nothing. (Score:2, Informative)
(Also: Who judges the "entrants" for the $500 prize? That's right, DJB does, and there are no formal rules as to exactly what qualifies as a security bug).
Re:$500 is nothing. (Score:2)
So? (Score:2)
Guess what? DJB is extremely arrogant (as many clever people tend to be).
You failed to answer my point about who gets to judge the "entrants" and the rules of the contest.
Look, it's a simple matter of
Re:So? (Score:2)
It's irrelevent to my contradiction of your statement, "The $500 guantee is worthless."
Look, it's a simple matter of economics: Auditing code is mostly tedious and there are sufficiently many ways of earning much more money (and with a guaranteed payoff!) auditing code that no amount of spite is worth it.
One matter of economics you're not considering is that value and worth are not equivalent to monetary
Re:$500 is nothing. (Score:1)
It's $500 more than most any other "secure" open source project has put up.
$10 an hour is more than you'd make auditing, oh, say, the Linux kernel for fun.
The fact that:
(a) Nobody has claimed they have found an error in DJBs code
(b) Nobody has claimed that DJB has refused to pay them (AFAIK)
shows the code is, at present, known secure.