On Sat, 12 Oct 2002, Darren Reed wrote: > This deserves more treatment than I have given it because I'm > sure it is a reflection of an attitude people form when they > have no understanding of roles and responsibilities people have, > never mind what "software engineering" is, beyond a simple "hack > on it" mentality. I think you're taking it more personally than you should[1], let me see if I can take a less inflamitory stance... > So your reading, of my saying meaning the "someone else" to be the > users is quite incorrect. What I said was, literally, quite correct. I think what Mikael's concern was (and he'll pipe up if I'm wrong, I'm sure) is that folks looking at the vuln. note will see "IPFilter- Not vulnerable." and stop there, rather than looking for a Net- or Free- entry. "Check the specific OS line, or your version number, or upgrade." Might be more helpful too. Please note I'm saying this with no direct evidence that the versions shipping with any prior version of Net- are or aren't vulnerable- because I think that's irrelevant to the point. It's really about making sure people know they should upgrade, not about a particular implementation. That's why I think it was irresponsible for anyone else to talk about IPF's status, but if they shouldn't, then you most certainly need to- and it should be verbose enough to ensure that folks using IPF don't get the wrong idea. Let's face it, most people don't run up-to-date systems, and we need to point them to upgrades when we can. It may well be the responsibility of the individual admin to check and read and dig for info, but since we *know* that's going to fail more times than it doesn't (and this isn't a shot at Net- admins, most of my evidence is based on OTHER *nix OS', I'm just not sure the Net- folks are any different than anyone else.) We can make it easier to encourage people to upgrade, or not, and I think a lot of us are advocating that, nothing more. If I were still admining NetBSD systems in production, I'd look at the IPF entry well before I'd look at the NetBSD entry because I'd expect you to have more complete and accurate information. Maybe that's the wrong way to look at it, but I think that's the gist of the case Mikael proposed. Paul [1] Yes, that's really easy to say when you're not the person under fire. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 12:53:12 PDT