Just a comment on: > CERT reacts far too slowly to reported holes. I'd much rather > shut down some functionality on my system to wait for a patch than > leave systems wide open while waiting for a report to come from > CERT. If you are using a commercial system like UnixWare, then what the heck is wrong with your vendor that they aren't responding quickly? CERT passes vulnerabilities on to vendors. When vendors inform them of a patch, CERT publishes it. But it is the *vendors* that are slow in the process. CERT doesn't fix things. The more people bash the CERT and other FIRST teams whose job is *incident response* and not bug coordination, the less people realize it is the vendors' fault. The vendors supply the poorly-tested software, the vendors are slow to respond to reports (if at all), and the vendors do little to support testing and development of practical approaches.* If you are going to direct criticism, direct it where it belongs -- at vendors (and at customers who blindly buy the crap some vendors put out). --spaf * Footnote: I'm running a security research lab here. We've got a half-dozen projects under way on tools for existing systems, including Tripwire. I approached one major vendor about some support for the next version of Tripwire and some work on an intrusion detection system. The response: "We are not concerned about the security of our systems." A second major vendor appears to have no one internally who is responsible for research into improved system security or tools for their products. Sun Microsystems is the only vendor which has provided support for our work; I note they are also one of the few Unix vendors with active, visible internal research, accessible response personnel, and who make a real attempt to widely-publicize fixes in a timely manner -- without charge, too. They aren't perfect, but they're trying. Can the same be said about *your* vendor? And if not, why are you giving them your business?