> This all got started because I tried to remind people that > CERT/CIAC/NASIRC/ASSIST/Santa Claus is not why we have problems; they > didn't put the bugs in your systems, and they aren't responsible for > fixing them. No, but I had thought they had advertised themselves as a worthwhile place to report them, and my perception, and apparently that of many other people here, is that this is not the case. > The bugs came from your vendors, and it is up to those vendors to > provide working fixes. In many cases, the bugs come from the original BSD (or sometimes V7) code, and knowing this is valuable to those who are working with a non-vendor version derived from that same code. But CERT never says anything like this; all they ever seem to say is "<foo> is a security hole. The following vendors have patched versions available, here's where to get them.", which is useless in helping people with other vendor versions, or people with non-vendor versions, decide whether they are at risk. That's one reason I subscribed to bugtraq - in the hope of actually finding out enough about bugs to let me determine when I'm vulnerable. And I'm glad to say it's done that. der Mouse mouse@collatz.mcrcim.mcgill.edu