Re: [SAGE] Re: Official sudosh announcement

[Brad Knowles <brad@stop.mail-abuse.org>]

At 3:24 PM -0400 2004-10-01, William LeFebvre wrote:

>  It was not in my first or my second message (or perhaps even my third
>  message) on this subject, but in one of my responses to Mr. Hanks I
>  most certainly did say "I think sudosh is a great idea!  I like it and
>  I thank you for sharing it with the community."

	I'm looking through your messages on this subject.  Here's the 
ones I see, in date order:

Date: Fri, 01 Oct 2004 04:55:00 -0400

	Does anybody else see a problem with this?

Date: Fri, 1 Oct 2004 10:38:46 -0400 (EDT)

	My fault for being obtuse.

	I am no SOx expert: in fact I've never had to deal with it.  But to
	imply in any way that remote syslog provides accountability just
	doesn't seem right to me.  It is unreliable and is easily spoofed.

Date: Fri, 01 Oct 2004 10:45:55 -0400

	Exactly.  To imply, as the original poster did, that sudosh provides the
	accountability that is needed for SOx compliance is disingenuous at best.

Date: Fri, 01 Oct 2004 12:17:39 -0400

	Syslog does not provide dependable accountability.  Ergo, neither
	does sudosh.

	However, I think sudosh is a great idea!  I like it and I thank you
	for sharing it with the community.  But I doubt that relying on
	syslog for an audit trail would satisfy SOx requirements.



	Is your clock off?  The only positive comment I see from you here 
is in the last message, and you don't acknowledge this achievement in 
any of the other messages.  On the whole, I would take all of these 
messages from you to be quite negative, and definitely not in the 
spirit of constructive criticism.

>  My objection and my negativism rests solely with his claim that his
>  tool provides "accountability with Sarbanes and Oxley".  In and of
>  itself it does not. It still requires a secure and reliable message
>  transport mechanism underneath it, a point which even now Mr. Hanks
>  refuses to admit.

	I've seen at least a couple of messages where Doug explicitly 
acknowledges that there may be weaknesses with standard UDP-based 
syslog and if you have concerns that it might be necessary to examine 
alternatives.

>                     And I see this omission on his part as disingenuous,
>  which Webster defines as "lacking in candor, giving a false appearance
>  of simple frankness."  If others care to see this view as posturing an
>  "attitude", then so be it.

	I don't see anything disingenuous here on the part of Doug.  I do 
see you failing to acknowledge the importance of the ground-breaking 
work that Doug is contributing to the community.  I also see you 
focusing all your attention on an apparent mis-interpretation of a 
small part of his announcement, and then making a mountain out of 
that molehill.

	Granted, Doug could have been a bit more clear in his statement 
and acknowledge the potential security issues of the underlying 
system that he is relying on, but I don't see that as disingenuous.

-- 
Brad Knowles, <brad@stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.