Re: [fw-wiz] Variations of firewall ruleset bypass via FTP
From: Paul Robertson (proberts@patriot.net)
Date: 10/11/02
- Next message: Al Potter: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Previous message: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- In reply to: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Next in thread: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Reply: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Robertson <proberts@patriot.net> To: Darren Reed <darrenr@reed.wattle.id.au> Date: Fri Oct 11 15:38:00 2002
On Sat, 12 Oct 2002, Darren Reed wrote:
> This deserves more treatment than I have given it because I'm
> sure it is a reflection of an attitude people form when they
> have no understanding of roles and responsibilities people have,
> never mind what "software engineering" is, beyond a simple "hack
> on it" mentality.
I think you're taking it more personally than you should[1], let me see if
I can take a less inflamitory stance...
> So your reading, of my saying meaning the "someone else" to be the
> users is quite incorrect. What I said was, literally, quite correct.
I think what Mikael's concern was (and he'll pipe up if I'm wrong, I'm
sure) is that folks looking at the vuln. note will see "IPFilter- Not
vulnerable." and stop there, rather than looking for a Net- or Free-
entry. "Check the specific OS line, or your version number, or upgrade."
Might be more helpful too.
Please note I'm saying this with no direct evidence that the versions
shipping with any prior version of Net- are or aren't vulnerable- because
I think that's irrelevant to the point.
It's really about making sure people know they should upgrade, not about a
particular implementation. That's why I think it was irresponsible for
anyone else to talk about IPF's status, but if they shouldn't, then you
most certainly need to- and it should be verbose enough to ensure that
folks using IPF don't get the wrong idea.
Let's face it, most people don't run up-to-date systems, and we need to
point them to upgrades when we can. It may well be the responsibility of
the individual admin to check and read and dig for info, but since we
*know* that's going to fail more times than it doesn't (and this isn't a
shot at Net- admins, most of my evidence is based on OTHER *nix OS', I'm
just not sure the Net- folks are any different than anyone else.) We can
make it easier to encourage people to upgrade, or not, and I think a lot
of us are advocating that, nothing more.
If I were still admining NetBSD systems in production, I'd look at the IPF
entry well before I'd look at the NetBSD entry because I'd expect you to
have more complete and accurate information. Maybe that's the wrong way
to look at it, but I think that's the gist of the case Mikael proposed.
Paul
[1] Yes, that's really easy to say when you're not the person under fire.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Al Potter: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Previous message: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- In reply to: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Next in thread: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Reply: Darren Reed: "Re: [fw-wiz] Variations of firewall ruleset bypass via FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
