Re: Apology - not necessary

["Ryan Russell" <ryanr () sybase com>]

> > For the record, I'll reiterate my $3,000 challenge for a
> > disassembled proof of a trapdoor. I've appended the original
> > posting below.

> It's sometimes difficult to prove "trap door" from "bug".  What's your
> metric for proof?  Can it be non-disassembled evidence (packets, rules,
> sniffer output), or is a direct comparison in the code the only form of
> proof you'll accept, and are there any version limits?

The same thing occured to me.  It would be really hard to distinguish
bug or bad advice from Checkpoint from an intentional hole.

For example, in the Checkpoint manuals and on-line help, it says
that "Allow control connections" must be checked on to be able to
remotely manage your FW-1.  This advice turns out to be not only wrong,
but leaves your firewall open to certain types of attack.  It's not
neccessarily
instant root, but constitutes a good-size hole.  Checkpoint has issued
instructions
on how to work around it.

Personally, I believe this constitutes stupidity rather than maliciousness.

As for the rest of this thread...

There are plenty of other reasons for government agencies to not use FW-1
other than unsubstantianted rumor based on country of origin.  Paul gave
a nice summary list of some of them.  I can say that because my company
doesn't sell firewalls, and I'm a current FW-1 user.  My only vested
interest
is in knowing how to configure FW-1 properly and knowing how secure it is
or isn't.

                         Ryan