Date: Sun, 22 Dec 1996 11:00:16 -0500 (EST) From: Apropos of Nothing <apropos@sover.net> To: zen@trouble.org Cc: security-alert@Sun.COM, cse-security-alert@csd.sgi.com, security@freebsd.org, ciac@llnl.gov, cert@cert.org, security-officer@freebsd.org Subject: Re: CERT, CIAC, etc. unethical practices Message-ID: <v03007802aee2c410f0dc@[204.71.18.158]>
next in thread | raw e-mail | index | archive | help
The key issue here is respect for the *freedom* of intellectual property. The people of CERT shouldn't be making a judgement call on the people of Bugtraq. People in Bugtraq are not, on the whole, posting code to be malicious, it's just that they believe in the free dissemination of information. CERT's, CIAC's, and others' policies seem to be supporting everything but the free dissemination of information. Here's why: CERT (I'll use CERT as an exmaple), releases code only when someone else has publicly warned of the hole. Does this spread the message of an organization trying to be informative? No, CERT tries to keep holes quiet until absolute dire straights. Take the message from Alan Cox, about slow vendor response, let's all take bets on how fast the patch is going to come now that the exploit has been revealed. Face it, there has come a time when the only way to prompt a patch or public security notice is to tell everyone there's a problem. So what happens if you warn CERT before hand? According to several people on Bugtraq: Nothing. The next problem is, of course, that CERT refuses to recognize the people who found a given hole in the first place. I won't go into this issue since it's been beaten to a dead pulp already. CERT doesn't seem to come up with many of it's own security alerts, when was the last time you saw a CERT alert that hadn't been posted to Bugtraq before hand? How can they flagrantly ignore the people who discover the security holes, when the people who discover the security holes are the only ones doing the dirty work. Finaly, CERT makes a pointed effort to hide expoit information, their advisories can extremely cryptic for this reason, and sometimes they don't even release a patch because it would give away the expoit. Is this free information? You tell me. I hope you can see why these company policies need changing. Since the fault here is not a legal one, but rather a moral one, social action is the only recourse. I propose a letter writing campaign (this does not mean, I repeat DOES NOT MEAN a mail bombing campaign). Everyone should write well thought out letters to the following addresses: CERT - - - - - - - Email: cert@cert.org CIAC - - - - - - - Email: ciac@llnl.gov FreeBSD - - - - - - - Confidential contacts: security-officer@freebsd.org Security public discussion: security@freebsd.org SGI - - - - - - - Email: cse-security-alert@csd.sgi.com SUN - - - - - - - Email: security-alert@Sun.COM Of course, If you feel like your messages are getting ignored at the above adresses, just send the same message to the root user at the server. Apropos of Nothing
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v03007802aee2c410f0dc>