1) There are people on this list (and on other lists) who seem to think that anyone managing a Unix system is a security professional. Many of those people think that a cracker's mindset is special, and crackers' techniques useful. They are mistaken, but do not have the experience to understand it. This is not an issue we can resolve in this mailing list. 2) There are people on this list who espouse views such as: > I was just wondering who you thought found any of the holes in the first > place? It sure as hell isn't down to all you so called security consultants! ...as if it was our jobs to find all the bugs in distribution software for someone else. Yeah, right, in our spare time. I dare say that if you were to pay Fred Cohen and myself and other, similar professionals our going rates and asked us to comb through a distribution version of a system, we'd uncover many (and maybe most) of the holes and problems. However, that takes time, effort and money. That's why those systems are shipped with the holes in them -- it takes too long and is too expensive for the vendors to find them. Instead, it is cheaper to ship them and respond to the holes as they are discovered. Of course, if you hired one of us as professional consultants, we'd also help you review (or write) a formal security policy, do a risk assessment, do a physical site review, test alarms and physical controls, coordinate spot personnel audits, institute an awareness program, update business continuation plans, spot-check data recovery services, review liability exposures, and a whole lot of other things that are critical to good security -- we realize that the majority of losses at most sites come from insiders abusing the system, not from ankle-biters off the net. If you think someone whose major recommendation is that he or she knows how to come in from the Internet to install a password sniffer and exploit a race condition on Unix is therefore somehow well-suited to protect your site, well, you may deserve what you get. 3) As someone who has discovered lots of flaws, I can tell you that discovering them and getting them fixed is a far different and more private pursuit than exploiting them or blasting details out to mailing lists. The fact that you don't hear about them being found and reported doesn't mean it isn't happening. 4) This whole thread is getting far afield of IDs. I already dropped my subscriptions to several other security mailing lists because they had a high noise level from people who had installed "crack" and "COPS" and thus decided they were security experts. Please let's not let that happen to this list too? Can we please go back to intrusion detection as a topic? For instance, let's get back to the fact that more than 75% of system abuses in typical commcercial environments comes from insiders. Is anyone looking at what is different about these insiders that can be detected or monitored? --spaf