[fw-wiz] OBSD reaction to CERT advisory

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)"
• Next in thread: Daniel Hartmeier: "Re: [fw-wiz] OBSD reaction to CERT advisory"
• Reply: Daniel Hartmeier: "Re: [fw-wiz] OBSD reaction to CERT advisory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You know, it's probably not really CERT's fault, but when a "vendor" 
reaction to an advisory paints a specific picture about a "competing" 
project or product *especially* after the IP Filter/OpenBSD fragfest, it's 
just not good to republish it.  The CERT/CC Addendum *should* have been 
used in this case, or CERT at least should have contacted Darren Reed to 
get from "I didn't install an ipf machine, but from looking at the code..." to 
reality.

http://www.kb.cert.org/vuls/id/AAMN-5EQPEF

When we get such uttlerly childish public statements in a security venue 
such as a CERT vulnerability note, it doesn't help anyone.  I'd think 
twice about any using an OS from a team who treats security more like a 
"celebrity deathmatch" wrestling event than a professional one.

I hope Darren does update CERT with a statement about IPFilter, and I hope 
it's based more on the information Mikael posted here than the stuff CERT 
did the first or second time around (We've gone from SACKs to TCP 
congestion control on the CERT side...)

Between this, misspelling Mikael's last name, and the fact that his vendor 
statement didn't show up until round 2, I'm not sure CERT has gained much 
at all credibility-wise, if anything from times past when they were more 
widely ridiculed.  Republishing this sort of childishness doesn't do CERT 
any good, and writing it in the first place makes the OBSD team look like 
a bunch of spoiled brats.

Statements like "The problem is in ipf" when there's been zero 
actual verification, let alone communication with the author should be 
taken as disinformation.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
probertsat_private      which may have no basis whatsoever in fact."
probertsonat_private Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Daniel Hartmeier: "Re: [fw-wiz] OBSD reaction to CERT advisory"
• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)"
• Next in thread: Daniel Hartmeier: "Re: [fw-wiz] OBSD reaction to CERT advisory"
• Reply: Daniel Hartmeier: "Re: [fw-wiz] OBSD reaction to CERT advisory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 06:30:23 PDT