Bugtraq mailing list archives

Re: new iss stuff

From: rwing!pat () ole cdac com (Pat Myrto)
Date: Tue, 10 May 94 16:45:36 PDT


"In the previous message, ole!nersc.gov!jallen said..."


Pat,

      I think some people missed the point. ISS 2.0 is a commercial
product for sale. The author changed it so that the new commercial
version cannot be easily used to attack other sites but can be
used to protect your own site. Now any site of any size can purchase
ISS and scan themselves to protect themselves.

      You should not get a bad taste in your mouth from a legitimate
business starting up. I think that many many sites will find it
useful to purchase ISS. You will not that the author, a reader of this
list, did not use this list to try to sell his product. Others thought
the product usefull enough to post the announcement here.

      I have been a beta site for 2.0 of ISS and have found it very
helpfull. It sure beats only having a log book that says that a certain
patch has been installed.


Sure - if you want your security to be dependent on a black box.  And
you really believe that NO contributed code was not included in it, code
for which the orignal writers are not getting a DIME?  The price would
be reasonable, IF IT INCLUDED SOURCE.  But it doesn't.  For source its
well over a grand.  Its back to security through obscurity (only now
its 'security through black boxes').

BTW - are you working using source or a binary-only version?  Would you
be happy to use a binary that might not gell too well with your site
with its mods and config?   Would you be willing to let a total
stranger on your site with root privs to build a version that would
work properly in such a case?  You are aware some patches to SunOS, for
example, DO affect the kernel structures, and if not compiled with the
patched headers, it will not work quite right?

The bad taste remains.  I smell a gouge playing on fear.  If they decide
to make the sources affordable, perhaps I will change my viewpoint.
Otherwise, they are making the decisions FOR the using admin, not allowing
him to decide what he wants to check.

As I said:  NO SALE.
-- 
pat@rwing  [If all fails, try:  rwing!pat () ole cdac com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.

Current thread:

[8lgm]-Advisory-7.UNIX.passwd.11-May-1994, (continued)
- - - [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8LGM] Security Team (May 12)
    - Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Pat Myrto (May 13)
    - Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)
    - Re: Time For New Security Package? (was Re: new iss stuff) Mark (May 10)
  - Selling binaries Karyn Pichnarczyk (May 10)
- Re: new iss stuff Everett F Batey WA6CRE (May 10)
- Re: new iss stuff root () maths su oz au (May 10)
- Re: new iss stuff der Mouse (May 10)
  - Re: new iss stuff Timothy Newsham (May 10)
- Re: new iss stuff jallen () nersc gov (May 10)
  - Re: new iss stuff Pat Myrto (May 10)
    - Re: new iss stuff Andrew Watts (May 10)
    - Re: new iss stuff Pat Myrto (May 10)
    - Re: new iss stuff Steven C. Blair (May 10)
    - iss: _my_ last two cents der Mouse (May 11)
  - passwd -F Steve Mitchell (May 10)
    - Re: passwd -F Pat Myrto (May 10)
    - Re: passwd -F Daniel Azuelos (May 11)
    - Re: passwd -F Casper Dik (May 11)