Date: Wed, 14 Oct 1998 08:16:18 -0400 (EDT) From: mike@seidata.com To: Nicholas Charles Brawn <ncb05@uow.edu.au> Cc: Brett Glass <brett@lariat.org>, "Jan B. Koum " <jkb@best.com>, security@FreeBSD.ORG Subject: Re: Spoofed connections on port 13223?? Message-ID: <Pine.BSF.4.05.9810140757140.9996-100000@ns1.seidata.com> In-Reply-To: <Pine.SOL.4.02A.9810141050001.14321-100000@banshee.cs.uow.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 14 Oct 1998, Nicholas Charles Brawn wrote: > > In short, they're ineffectual except perhaps as archivists. > > life-threatening importance first, and then work their way down. Your > network may not have been high on their list. You cannot fault them for > this. Can I agree with both sides, or is that being a yellow-bellied coward? Oh, wait! I'm a sysadmin, I don't care what people think about me. ;) I can see Brett's point... I know of many admins (myself definately included) that have 'written CERT off' to some point in the past. This is mostly due to the untimely fashion that CERT announcements are made to public forums such as Bugtraq. Qpopper comes to mind... As I recall, it was weeks after FreeBSD lists and Bugtraq had already addressed the Qpopper overflow and provided patches for it before CERT even announced it as a problem. I also see Nick's point... CERT does do a *lot* of good. Even if it was only archiving as Brett mentions, it would still be highly valuable. CERT's announcements are sometimes more in-depth than those released by others (gee, maybe the reason their announcemetns take longer to make it 'to the press' is because they're doing more research than everyone else). Some sort of immediate-response forum is definately needed to minimize damage to networks and computers (i.e. the security lists relating to your specific OS), but an in-depth perspective is valuable as well (such as that provided by CERT), imco. Also, I find the first paragraph of www.cert.org quite enlightening, "The CERT* Coordination Center studies Internet security vulnerabilities, provides incident response services to sites that have been victims of attack, publishes a variety of security alerts, researches security and survivability in wide-area-networked computing, and develops information to help you improve security a your site." Assuming an insitution of CERT's caliber would be prone to logical thought (not always true, I know, but I believe it is in this case), the progression of this paragraph should tell us a lot. Their first goal is study of Internet security vulnerabilities - not beating everyone else to the press - but studying the how's and why's of security situations. Also, I notice this is a lot for *any* insitution to undertake. I'm sure they get everything from 'Our 200,000 node WAN was seriously compromised this AM' to 'Someone on IRC rooted my linux box' (not a crack at Linux, just an example). Some sort of delegation obviously *has* to take place for CERT to be effective at all, and, as Nick mentions, they must categorize their responses. In short, I've had disagreements with CERT in the past (it's natural for every admin to feel *their* network is the *most* important ;), but I do feel they're here to help us when they can. It's not a light task they've taken on, and perhaps rather than griping that they don't respond quickly enough, etc. we should be asking how we can help. Later, -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9810140757140.9996-100000>