Support tied up with BIND
August 1, 2008
Computer vendors worked hard and fast last month to fix a glaring hole in Domain Name Services. The exposure allowed hackers to exploit computer systems with DNS services which use BIND, BIND (Berkeley Internet Name Domain), the popular open-source DNS software maintained by the Internet Software Consortium. A consortium of vendors worked together. Apple dragged its feet, releasing something yesterday which doesn't fix the problem.
It could be worse. The MPE/iX repair for this security problem is still being engineered into the operating system. HP's lab experts are doing the work now, and the project has high priority. But what kind of priority will fixing 3000 security holes have at HP on January 1, 2009?
These repairs will not be the kind of work typical of HP Response Center support engineering. After all, HP has said that 2009-2010 will be the era "without sustaining engineering." Which is exactly why the time has now arrived for Hewlett-Packard — and specifically R&D manager Ross McDonald — to finally start to un-BIND the system source code from those HP labs which close in about 20 weeks.
HP, starting with McDonald and perhaps moving down the org chart to business manager Jennie Hou, says that no more external reviews are needed to transfer the 3000's source code to an outside organization. HP will do an internal review, without the oversight of any third party experts who will actually have to build and release MPE/iX patches to fix things like security breeches.
BIND bit the Internet-using world in vulnerable places this week, after speculation about the DNS vulnerability essentially confirmed its technical details. Exploit code appeared. This week, attacks began against unpatched DNS servers. That could be an HP 3000 which HP supports during 2009. If it's not a DNS "poisoning" exploit, it will be something else.
HP will not be able to repair such things in 2009, according to its statement that extended HP's 3000 support until 2010. There's more repair trouble brewing on the horizon, like those new IPV6 Internet addresses that will change the address of every computer on any network. HP's lab won't deliver any 3000 support for that, either. And tossed-off answers like "well, just put a Linux box between the 3000 and the networks" won't cut it. Someone has to engineer the integration from that box into the 3000. In less than a couple dozen weeks, it won't be HP's labs.
When McDonald signed a 2005 letter saying HP would turn over MPE/iX source code, it didn't say when exactly. But his letter did say the source code would change hands
...when HP no longer offers services that address the basic support needs of remaining HP 3000 customers.
There's no way that failing to fix a security patch can "address the basic support needs" of HP's 3000 community. So the clock is already running toward the transfer of MPE/iX outside of HP. It's just about time that Hewlett-Packard and McDonald look that clock in the face.