Re: [fw-wiz] Too Paranoid?

From: Adam Shostack (
Date: 09/30/02

From: Adam Shostack <>
To: Frederick M Avolio <>
Date: Mon Sep 30 16:22:01 2002

On Sun, Sep 29, 2002 at 08:10:19PM -0400, Frederick M Avolio wrote:
| At 01:57 PM 9/29/2002 -0400, Dave Piscitello wrote:
| >Totally in agreement.
| >
| >Any reputable vendor should appreciate this, and should be willing to
| >explain
| >what security measures they have implemented to your satisfaction, or if
| >not to your satisfaction, willing to work to resolve differences between
| >their
| >security posture and what your policy requires.
| Which planet would you be talking about? Key word in this, of course, is
| "should." Most probably it is "can't" because "never thought of it." Most
| reputable vendors SHOULD but don't.
| Most reputable vendors behave just as this one does. They are certain it is
| Not So Bad. And in their mind, it is not. Because all they know is
| firewalls make things secure and it can work with the firewall in place, as
| long as you poke a hole or two through it.

So, the only way to fix this is customer demand. I'd ask all the
questions you will, and then identify the vendor and post your
questions here, so that when other customers search on security and
vendor name, they'll find the question list.

Then the vendor will start to pay attention.

Just a nit about Dave's mail it to yourself thing. Don't bother. If
you need it documented, the best way is to have two peers sign and
date under the words "I have read and understood the above." Pick
peers who you think would come off well in court.

After that, is a notary, or file a copy with an attorney.


"It is seldom that liberty of any kind is lost all at once."