You know, it's probably not really CERT's fault, but when a "vendor" reaction to an advisory paints a specific picture about a "competing" project or product *especially* after the IP Filter/OpenBSD fragfest, it's just not good to republish it. The CERT/CC Addendum *should* have been used in this case, or CERT at least should have contacted Darren Reed to get from "I didn't install an ipf machine, but from looking at the code..." to reality. http://www.kb.cert.org/vuls/id/AAMN-5EQPEF When we get such uttlerly childish public statements in a security venue such as a CERT vulnerability note, it doesn't help anyone. I'd think twice about any using an OS from a team who treats security more like a "celebrity deathmatch" wrestling event than a professional one. I hope Darren does update CERT with a statement about IPFilter, and I hope it's based more on the information Mikael posted here than the stuff CERT did the first or second time around (We've gone from SACKs to TCP congestion control on the CERT side...) Between this, misspelling Mikael's last name, and the fact that his vendor statement didn't show up until round 2, I'm not sure CERT has gained much at all credibility-wise, if anything from times past when they were more widely ridiculed. Republishing this sort of childishness doesn't do CERT any good, and writing it in the first place makes the OBSD team look like a bunch of spoiled brats. Statements like "The problem is in ipf" when there's been zero actual verification, let alone communication with the author should be taken as disinformation. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 06:30:23 PDT