Re: UnixWare

[spaf () cs purdue edu (Gene Spafford)]

> No, but I had thought they had advertised themselves as a worthwhile
> place to report them, and my perception, and apparently that of many
> other people here, is that this is not the case.

It depends on your definition of "useful."  If it is defined as "gets
the bug reports to all the vendors without also disclosing it to any
real or potential bad guys in the process; follows up the report to
make sure that the vendors are maybe working on it; and then provides
a wide-ranging, trusted announcement method to alert people when the
fixes are available" then it *is* worthwhile.

However, if your definition of worthwhile is "Broadcasts details of
the bug to only those people who are on a particular network or
subscription list, including bad guys and hacker 'wannabes,' before
there is any fix available" then Usenet, 8lgm, Phrack, this list, and
other such forums are varying degrees more "worthwhile."

There are places in between these two, and other FIRST teams, other
groups and individuals (myself included) fall more in the middle.  In
my opinion, CERT also needs to move closer to the middle from their
current position (the other direction would take them towards "never
report the bug to anyone").  I still view CERT as worthwhile however,
as compared to some of the alternatives.

--spaf