Re: UnixWare

[mcn () nostromo c3 lanl gov (Michael Neuman)]

> From spaf () cs purdue edu Wed Apr 27 11:52:25 1994

> Just a comment on:
> > CERT reacts far too slowly to reported holes. I'd much rather
> > shut down some functionality on my system to wait for a patch than
> > leave systems wide open while waiting for a report to come from
> > CERT.
>
> If you are using a commercial system like UnixWare, then what the heck
> is wrong with your vendor that they aren't responding quickly?  CERT
> passes vulnerabilities on to vendors.  When vendors inform them of a
> patch, CERT publishes it.  But it is the *vendors* that are slow in
> the process.  CERT doesn't fix things.
>
> If you are going to direct criticism, direct it where it
> belongs -- at vendors (and at customers who blindly buy the crap some
> vendors put out).

  I'd agree with you EXCEPT I wasn't suggesting CERT should "fix the
bugs faster" as you imply. I'm complaining that they get a report of
a hole, pass it on to the vendors, and that's it. As I said above, I'd
much rather shut down some functionality on my system and wait for
a patch then leave my systems wide open. This is not a criticism of
CERT per se, but just the systems we have in place in general. If CERT
doesn't want this task of sending out advisories that look like, "There's
a problem in rdist, shut it down completely until a patch is available or
else..." than someone else should.

  CERT does do some great incident coordination--my interactions with them
(through CIAC) have been great. However, I just wish their roll would be
expanded a little more.

-Mike