At 08:26 18/02/99 -0500, Steven Choi wrote:
>I am getting frustrated.
If you work with computers, you must get frustrated - sooner or later.
>And not too long ago on Bugtraq, Dr. Mudge posted about security vendors
>should wake up and take the responsibility to write secure code. After Dr.
>Mudge has endorsed NFR because it was free with source code publicly
>available, it's ironic that Dr. Mudge's advice to security vendors didn't
>get heeded by NFR. Maybe Dr. Mudge should help NFR with an audit.
Yeah. Let's trash the only IDS product (well, let's say the only
"professional" IDS product) that comes with the source, and switch to all
those nice NT IDS systems, where we have no clue what's going on...
You will feel safer!? (I am sure that no other product has security
vulnerabilites, yeah...)
The reason why bug was found is: the source was available. You should be
happy that NFR is improved. Most of other products might have horrible
bugs, but you won't know it...
As much as I remember, you *define* the ip address where web server will
listen. If you allow external people to connect to NFR web server on
machine running NFR... You don't need really need NFR then.
This reminds me of people yelling "What kind of OS is Linux, when patch is
issued one day after the major release (2.2)?". Instead of being *happy*
that bugs are fixed within 24hrs, they cry...
And I respect NFR even more, because in their 'patch release' you will not
find things like:
"NFR has received no reports of customers being adversely affected by
this problem, bla, bla, crap, crap..."
They fixed the problem, and hey... Life goes on.
Vanja
p.s: And there is always the last option: if you don't like it - don't use
it. There are so many other IDS products available...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
