From owner-freebsd-security  Sun Dec 22 20:54:32 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id UAA15918
          for security-outgoing; Sun, 22 Dec 1996 20:54:32 -0800 (PST)
Received: from obie.softweyr.com (slc196.modem.xmission.com [204.228.136.196])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id UAA15913
          for <security@freebsd.org>; Sun, 22 Dec 1996 20:54:25 -0800 (PST)
Received: (from wes@localhost) by obie.softweyr.com (8.7.5/8.6.12) id VAA00471; Sun, 22 Dec 1996 21:54:33 -0700 (MST)
Date: Sun, 22 Dec 1996 21:54:33 -0700 (MST)
Message-Id: <199612230454.VAA00471@obie.softweyr.com>
From: Wes Peters <softweyr@xmission.com>
To: Apropos of Nothing <apropos@sover.net>
CC: security@freebsd.org
Subject: Re: CERT, CIAC, etc. unethical practices
In-Reply-To: <v03007802aee2c410f0dc@[204.71.18.158]>
References: <v03007802aee2c410f0dc@[204.71.18.158]>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Apropos of Nothing <apropos@sover.net> writes:
 > CERT's, CIAC's, and others' policies seem to be supporting everything but
 > the free dissemination of information.

CERT in particular is chartered to work as a clearinghouse for
computer security related information.  They don't normally
disseminate data unless you contact them with a problem; they will
tell you if your problem has been previously reported, but not how
many times or how often.

In a former lifetime, I created a commercial software product to
analyze the security configuration of UNIX systems and report on
deviations from a user-configured baseline.  We contacted CERT several
times asking for participation in this product.  We were informed that
CERT a) doesn't participate in commercial software development other
than to forward reports to the system vendors (and no one else), and
b) even if they did actually do security analysis, they weren't
interested in analyzing commercial UNIX distributions in order to
create recommended security configurations.

In short, CERT doesn't *want* to really learn about computer security,
just to hoard information about it.  Open disclosure works because it
means the system administrators and developers get timely and accurate
information about exploits so they can close the holes.

If you run a security sensitive system attached to a network, you
should probably follow bugtraq alerts carefully.  Watch CERT
advisories also, but don't expect them to tell you much other than
"call your vendor and mention this CERT adivsory number."

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com