Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
On Wed, Jul 21, 1999 at 09:26:37AM -0500, Gene Spafford wrote:
> At 10:33 AM +0200 7/21/99, email@example.com wrote:
> >hmm ... let me follow up.
> >I like your 'rule of thumb', but it needs some refinement, IMHO.
> I agree, but I think the idea is sound.
> For instance, with .forward.
> The fact that it can execute a program to list my whereabouts is a
> feature that I may use (and in fact, have used). The fact that
> the feature is not necessarily known to system admins, and would
> violate *some* policies is not reason to be listed in the CVE. If we
> start doing that, then we need to document every misunderstanding and
> unclear concept out there -- and Unix or NT alone would generate a
> few thousand!
I agree with Spaf and well as Dave. The basic idea is sound. (Would make
me happy to get rid of most of this "configuration" entries). But
we would make some concessions for known anomalies. Taking a page from
the AV world, viruses as just programs as such we would not normally
classify them as a vulnerability, but they are a known anomaly. In the
same way we should allow for known anomalies (.forward in ~ftp) to
be added to the CVE while keeping out things .forward in general.
Aleph One / firstname.lastname@example.org
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01