Re: UnixWare

[spaf () cs purdue edu (Gene Spafford)]

Just a comment on:
> CERT reacts far too slowly to reported holes. I'd much rather
> shut down some functionality on my system to wait for a patch than
> leave systems wide open while waiting for a report to come from
> CERT.

If you are using a commercial system like UnixWare, then what the heck
is wrong with your vendor that they aren't responding quickly?  CERT
passes vulnerabilities on to vendors.  When vendors inform them of a
patch, CERT publishes it.  But it is the *vendors* that are slow in
the process.  CERT doesn't fix things.

The more people bash the CERT and other FIRST teams whose job is
*incident response* and not bug coordination, the less people realize it
is the vendors' fault.  The vendors supply the poorly-tested software,
the vendors are slow to respond to reports (if at all), and the
vendors do little to support testing and development of practical
approaches.*  If you are going to direct criticism, direct it where it
belongs -- at vendors (and at customers who blindly buy the crap some
vendors put out).

--spaf


* Footnote: I'm running a security research lab here.  We've got a
half-dozen projects under way on tools for existing systems, including
Tripwire.  I approached one major vendor about some support for the
next version of Tripwire and some work on an intrusion detection
system.  The response: "We are not concerned about the security of our
systems."  A second major vendor appears to have no one internally who
is responsible for research into improved system security or tools for
their products.  Sun Microsystems is the only vendor which has
provided support for our work; I note they are also one of the few
Unix vendors with active, visible internal research, accessible
response personnel, and who make a real attempt to widely-publicize
fixes in a timely manner -- without charge, too.  They aren't perfect,
but they're trying.  Can the same be said about *your* vendor?  And if
not, why are you giving them your business?