Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

OBSD reaction to CERT advisory

From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 9 Oct 2002 09:27:12 -0400 (EDT)

You know, it's probably not really CERT's fault, but when a "vendor" 
reaction to an advisory paints a specific picture about a "competing" 
project or product *especially* after the IP Filter/OpenBSD fragfest, it's 
just not good to republish it.  The CERT/CC Addendum *should* have been 
used in this case, or CERT at least should have contacted Darren Reed to 
get from "I didn't install an ipf machine, but from looking at the code..." to 
reality.

http://www.kb.cert.org/vuls/id/AAMN-5EQPEF

When we get such uttlerly childish public statements in a security venue 
such as a CERT vulnerability note, it doesn't help anyone.  I'd think 
twice about any using an OS from a team who treats security more like a 
"celebrity deathmatch" wrestling event than a professional one.

I hope Darren does update CERT with a statement about IPFilter, and I hope 
it's based more on the information Mikael posted here than the stuff CERT 
did the first or second time around (We've gone from SACKs to TCP 
congestion control on the CERT side...)

Between this, misspelling Mikael's last name, and the fact that his vendor 
statement didn't show up until round 2, I'm not sure CERT has gained much 
at all credibility-wise, if anything from times past when they were more 
widely ridiculed.  Republishing this sort of childishness doesn't do CERT 
any good, and writing it in the first place makes the OBSD team look like 
a bunch of spoiled brats.

Statements like "The problem is in ipf" when there's been zero 
actual verification, let alone communication with the author should be 
taken as disinformation.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: