Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 Dec 1996 21:54:33 -0700 (MST)
From:      Wes Peters <softweyr@xmission.com>
To:        Apropos of Nothing <apropos@sover.net>
Cc:        security@freebsd.org
Subject:   Re: CERT, CIAC, etc. unethical practices
Message-ID:  <199612230454.VAA00471@obie.softweyr.com>
In-Reply-To: <v03007802aee2c410f0dc@[204.71.18.158]>
References:  <v03007802aee2c410f0dc@[204.71.18.158]>
next in thread | previous in thread | raw e-mail | index | archive | help 

Apropos of Nothing <apropos@sover.net> writes:
 > CERT's, CIAC's, and others' policies seem to be supporting everything but
 > the free dissemination of information.

CERT in particular is chartered to work as a clearinghouse for
computer security related information.  They don't normally
disseminate data unless you contact them with a problem; they will
tell you if your problem has been previously reported, but not how
many times or how often.

In a former lifetime, I created a commercial software product to
analyze the security configuration of UNIX systems and report on
deviations from a user-configured baseline.  We contacted CERT several
times asking for participation in this product.  We were informed that
CERT a) doesn't participate in commercial software development other
than to forward reports to the system vendors (and no one else), and
b) even if they did actually do security analysis, they weren't
interested in analyzing commercial UNIX distributions in order to
create recommended security configurations.

In short, CERT doesn't *want* to really learn about computer security,
just to hoard information about it.  Open disclosure works because it
means the system administrators and developers get timely and accurate
information about exploits so they can close the holes.

If you run a security sensitive system attached to a network, you
should probably follow bugtraq alerts carefully.  Watch CERT
advisories also, but don't expect them to tell you much other than
"call your vendor and mention this CERT adivsory number."

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612230454.VAA00471>