Interactive Week: Putting the Web in a BindMar 12, 2001, 22:18 (7 Talkback[s])
(Other stories by Charles Babcock)
"In one sense, the Feb. 26 hacks were in fun. Fluffy Bunny stopped short of X-rated comments and no credit-card numbers were stolen or business data damaged on any of the sites. But they illustrate how escalating problems with the so-called BIND open source code represent the single most common threat to businesses that are increasingly depending on Internet-based techno logies to sell their products or communicate with their customers."
"One of the weakest links on the self-governed Internet, the Berkeley In ternet Name Domain (BIND) is the software that drives nearly 90 percent of all domain name servers on the Internet. BIND is used by DNS servers to resolve domain names, such as dinosaur.com, into numeric Internet Protocol (IP) add resses. Each Web site has a DNS server somewhere in front of it, though one DNS server may handle the addressing for many Web sites. Sixteen root DNS servers underlie all Internet operations, with roughly 500,000 DNS servers working on top of them. Of those running BIND, about 80 percent to 90 percent use versions that leave them vulnerable to exploits, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University."
"The problem is not just the code, but also the system - or lack thereof - for making sure that upgrades are made after new holes are identified and publicized to everyone, including hackers...."
"With no central Internet authority to turn to, advocates of an open, unregulated Internet are at a loss to explain how the BIND exposures will ever get cleared up."