[dns-operations] "freeware is a recipe for problems"

Douglas Otis dotis at mail-abuse.org
Thu Sep 24 18:00:47 UTC 2009

On 9/24/09 9:58 AM, Florian Weimer wrote:
> * Stephane Bortzmeyer:
>> On Wed, Sep 23, 2009 at 02:13:04AM -0700,
>>   Matthew Dempsky<matthew at dempsky.org>  wrote
>>   a message of 13 lines which said:
>>> and also don't count CVE-2008-1447
>> Indeed: http://www.nominum.com/asset_upload_file741_2661.pdf
>> Now that they've said there never was a vulnerability,
> They said "known vulnerability", and probably mean "publicly disclosed
> vulnerability".

Back in the eighties, an application for a secret clearance required 
confirmation as to whether you were or ever have been a member of the 
communist party.  Perhaps in the two aught tens, this becomes were you 
or have you ever participated in open-source projects covered by a GNU 

There is a fair amount of effort attempting to make it more difficult 
for bad actors, once they find a means to escalate user privilege, to 
then locate code locations by things like ALSR (Address Space Layout 
Randomization).  Unfortunately, with only eight bits of entropy, this 
technique is easily defeated by simple methods, while also making it 
difficult to confirm a system's integrity.  From a vendor's perspective, 
if a compromise can not be detected, then such compromises can be safely 
considered non-existent, and thus to have never happen.

Little is being done to change long standing practices that produce 
exploit opportunities, such as avoiding C++ dependent upon high level 
libraries inviting programmers to ignore the structural details related 
to various class interfaces evolving within COM infrastructure, for 
example.  Even the approach of depending upon foreign objects to select 
handler sources seems unlikely to change.  Maybe they are right. 
Perhaps it is better to not know what is lurking within a proprietary OS.

I was in China a while back talking with officials about tracking police 
vehicles.  When I suggested a need to encrypt information being 
broadcast by radio, a long outburst with red faces lasted at least 20 
minutes.  During this, the translator, after whispering that it is 
illegal to own a radio, kept writing "Not Important" over and over. 
Perhaps if the attitude about open source software's inferiority to 
proprietary software prevails, it will become illegal to even own a 


More information about the dns-operations mailing list