-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Vanja Hrustic
> Sent: Thursday, February 18, 1999 9:14 AM
> To: [EMAIL PROTECTED]
> Subject: Re: NAI Security Advisory: Vulnerability in NFR
2.0.2-Research
>
>
> At 08:26 18/02/99 -0500, Steven Choi wrote:
> >I am getting frustrated.
>
> If you work with computers, you must get frustrated - sooner or
later.
I think he means over and above the obvious.
>
> >And not too long ago on Bugtraq, Dr. Mudge posted about security
vendors
> >should wake up and take the responsibility to write secure code.
> After Dr.
> >Mudge has endorsed NFR because it was free with source code
publicly
> >available, it's ironic that Dr. Mudge's advice to security
> vendors didn't
> >get heeded by NFR. Maybe Dr. Mudge should help NFR with an audit.
>
> Yeah. Let's trash the only IDS product (well, let's say the only
> "professional" IDS product) that comes with the source, and switch
to all
> those nice NT IDS systems, where we have no clue what's going on...
A little subjective, don't you think?
>
> You will feel safer!? (I am sure that no other product has security
> vulnerabilites, yeah...)
>
> The reason why bug was found is: the source was available. You
should be
> happy that NFR is improved. Most of other products might have
horrible
> bugs, but you won't know it...
Source code is not necessary for locating bugs; it only takes
identifying where the product does not work as needed or proclaimed.
Source *is* necessary (or at least very useful) for fixing the bugs. I
sincerely doubt the NT bugs that I have been following in other
discussion groups were found by individuals with access to source
code, or they would have had M$ e-mail addresses (or never been
published). This statement (as is) just is not true.
>
> As much as I remember, you *define* the ip address where web server
will
> listen. If you allow external people to connect to NFR web server on
> machine running NFR... You don't need really need NFR then.
>
> This reminds me of people yelling "What kind of OS is Linux, when
patch is
> issued one day after the major release (2.2)?". Instead of being
*happy*
> that bugs are fixed within 24hrs, they cry...
I must agree with this statement, though. There will be NO software
written that is released in a manner such as to be timely and useful
without containing some sort of shortcoming. If we waited for all the
bugs to be worked out, we'd be using Lotus 1-2-3 v1.x for DOS, and
still waiting for v2.0, by now.
>
<snip>
>
> Vanja
>
> p.s: And there is always the last option: if you don't like it -
don't use
> it. There are so many other IDS products available...
>
Another very good point . . .
R. Michael Williams, MCSE
Nashville, TN
"Time exists so everything doesn't happen at once;
Space exists so it all doesn't happen to you."
Unknown
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQA/AwUBNszwaqfPtcH7+PP+EQLJ1gCfQhjRLbl04mtDjfRPuwOGKBJ+Zd8AoJ8V
tY7ReZcrReFS1xve3EVSiMiZ
=19CB
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
