Re: UnixWare
Michael Neuman (mcn@nostromo.c3.lanl.gov)
Wed, 27 Apr 1994 12:01:16 -0600
> From spaf@cs.purdue.edu Wed Apr 27 11:52:25 1994
> Just a comment on:
> > CERT reacts far too slowly to reported holes. I'd much rather
> > shut down some functionality on my system to wait for a patch than
> > leave systems wide open while waiting for a report to come from
> > CERT.
>
> If you are using a commercial system like UnixWare, then what the heck
> is wrong with your vendor that they aren't responding quickly? CERT
> passes vulnerabilities on to vendors. When vendors inform them of a
> patch, CERT publishes it. But it is the *vendors* that are slow in
> the process. CERT doesn't fix things.
>
> If you are going to direct criticism, direct it where it
> belongs -- at vendors (and at customers who blindly buy the crap some
> vendors put out).
I'd agree with you EXCEPT I wasn't suggesting CERT should "fix the
bugs faster" as you imply. I'm complaining that they get a report of
a hole, pass it on to the vendors, and that's it. As I said above, I'd
much rather shut down some functionality on my system and wait for
a patch then leave my systems wide open. This is not a criticism of
CERT per se, but just the systems we have in place in general. If CERT
doesn't want this task of sending out advisories that look like, "There's
a problem in rdist, shut it down completely until a patch is available or
else..." than someone else should.
CERT does do some great incident coordination--my interactions with them
(through CIAC) have been great. However, I just wish their roll would be
expanded a little more.
-Mike