Bugtraq mailing list archives
Re: UnixWare
From: spaf () cs purdue edu (Gene Spafford)
Date: Wed, 27 Apr 94 12:55:47 -0500
Just a comment on:
CERT reacts far too slowly to reported holes. I'd much rather shut down some functionality on my system to wait for a patch than leave systems wide open while waiting for a report to come from CERT.
If you are using a commercial system like UnixWare, then what the heck is wrong with your vendor that they aren't responding quickly? CERT passes vulnerabilities on to vendors. When vendors inform them of a patch, CERT publishes it. But it is the *vendors* that are slow in the process. CERT doesn't fix things. The more people bash the CERT and other FIRST teams whose job is *incident response* and not bug coordination, the less people realize it is the vendors' fault. The vendors supply the poorly-tested software, the vendors are slow to respond to reports (if at all), and the vendors do little to support testing and development of practical approaches.* If you are going to direct criticism, direct it where it belongs -- at vendors (and at customers who blindly buy the crap some vendors put out). --spaf * Footnote: I'm running a security research lab here. We've got a half-dozen projects under way on tools for existing systems, including Tripwire. I approached one major vendor about some support for the next version of Tripwire and some work on an intrusion detection system. The response: "We are not concerned about the security of our systems." A second major vendor appears to have no one internally who is responsible for research into improved system security or tools for their products. Sun Microsystems is the only vendor which has provided support for our work; I note they are also one of the few Unix vendors with active, visible internal research, accessible response personnel, and who make a real attempt to widely-publicize fixes in a timely manner -- without charge, too. They aren't perfect, but they're trying. Can the same be said about *your* vendor? And if not, why are you giving them your business?
Current thread:
- Re: UnixWare Carl Corey (Apr 26)
- Re: UnixWare Perry E. Metzger (Apr 27)
- Re: UnixWare Michael Neuman (Apr 27)
- Re: UnixWare Gene Spafford (Apr 27)
- Re: UnixWare a.e.mossberg (Apr 28)
- Re: UnixWare Gene Spafford (Apr 28)
- Re: UnixWare David A. Curry (Apr 28)
- HP's security stance (was Re: UnixWare) Bennett Todd (Apr 28)
- Re: HP's security stance (was Re: UnixWare) Gene Spafford (Apr 28)
- Re: UnixWare Christopher Klaus (Apr 28)
- Re: UnixWare Gene Spafford (Apr 28)
- Re: UnixWare Michael Neuman (Apr 27)
- Re: UnixWare Perry E. Metzger (Apr 27)
- <Possible follow-ups>
- Re: UnixWare Carl Corey (Apr 27)
- Re: UnixWare der Mouse (Apr 27)
- Re: UnixWare Casper Dik (Apr 27)