Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!nrl-cmf!ames!pasteur!ucbvax!MATHOM.CISCO.COM!BILLW
From: BILLW@MATHOM.CISCO.COM (William Westfield)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Getting Vendors To Fix Bugs
Message-ID: <12444712395.19.BILLW@MATHOM.CISCO.COM>
Date: 7 Nov 88 19:26:54 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 25

Interesting that you should mention X.25 certification as an example.
It is true that the market requires X.25 certification, but the procedures
and tests them selves are pretty much a joke.

The other problem is that I doubt whether you can get "a crack team of
crackers" to spend weeks or months pouring over the source code of some
random operating system looking for security flaws, and still get vendors
to pay only "a reasonable amount".  I don't see how this could cost any
less than $100K/release.

There is always the current practice of "beta test at a university", or
"put it on the internet", which is a pretty reasonable test.  The weakest
point is still the users..

The sad part about this particular incident is that the sendmail hole
has apparently been known to quite a large number of people for a long
time.  (After all, sendmail is not proprietary to any vendor, and
source are widely available.)  No one did anything about it.  It is
approximately true that the Internet is NOT overly concerned with
security.  The current incident has pointed out that perhaps we should
be somewhat more concerned.

Bill Westfield
cisco Systems.
-------