> Date: Fri, 11 Oct 2002 15:49:12 -0400 (EDT) > From: Paul Robertson <probertsat_private> > To: Darren Reed <darrenrat_private> > Cc: Mikael Olsson <mikael.olssonat_private>, > <firewall-wizardsat_private> > On Sat, 12 Oct 2002, Darren Reed wrote: > > > This deserves more treatment than I have given it because I'm > > sure it is a reflection of an attitude people form when they > > have no understanding of roles and responsibilities people have, > > never mind what "software engineering" is, beyond a simple "hack > > on it" mentality. > > I think you're taking it more personally than you should[1], let me see if > I can take a less inflamitory stance... > > > So your reading, of my saying meaning the "someone else" to be the > > users is quite incorrect. What I said was, literally, quite correct. > > I think what Mikael's concern was (and he'll pipe up if I'm wrong, I'm > sure) is that folks looking at the vuln. note will see "IPFilter- Not > vulnerable." and stop there, rather than looking for a Net- or Free- > entry. "Check the specific OS line, or your version number, or upgrade." > Might be more helpful too. Sorry to overextend this thread, but I just started reading it today. (I just ran across the advisory on CERT's page, I haven't been reading fwwiz consistently) The title of the advisory begins "Multiple vendors' firewalls do not.." But when I read through it and looked at the vendor list, there was only a single vendor listed as "vulnerable". Everyone else was listed as either "not vulnerable" or "unknown". So logically, where does this "Multiple vendors firewalls.." come from? When I read an advisory like that, I care much more about finding out *when* the problem was fixed, than the fact that a patch from 30 minutes ago fixed that vendor's vulnerability. Because as someone else mentioned, most of the world isn't running today's release. So what I *want* to see, in the initial listing, instead of "not vulnerable", is "fixed". I will then assume that those listed as "not vulnerable" were "never" vulnerable, and for the ones listed as "fixed" I will drill down further and look at the specific versions and dates when the problem was fixed. The current way that they're listed in the CERT advisory, therefore, is *not* helpful to me. It wastes my time, and it gives a false initial impression of what is and is not vulnerable. -- Philip J. Koenig pjklistat_private Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 05:43:53 PDT