Re: FIRST and CERT

[perry () snark imsi com (Perry E. Metzger)]

Gene Spafford says:
> If someone's site has been broken into, CERT will respond to the phone
> 24 hours a day.  Maybe their response isn't always as complete as some
> people on this list and elsewhere would like.  But they do respond,
> and they do try to help sites get cleaned up after incidents and back
> "on the air".  They have responded to thousands of incidents, many for
> admins at sites who had no where else to turn and no clue what to do.

I was in the position of calling up CERT during the last set of
Sendmail trouble. They could tell me nothing of value. I was in a
position of trying to decide whether the threat to the company I
worked for was sufficient to shut down production work going on over
the internet to defend us -- making the wrong decision, either way,
would cost us big time. CERT was a useless lump of merde so far as I
could tell.

They could tell me nothing useful to evaluate the threat, and they
could not or would not tell me anything about how to fix it. Not even
the most general questions were answered.

"Can the problem be used to penetrate a machine that you don't have
direct TCP access to?"

"We can't tell you."

"Can the problem be fixed by removing the PROG mailer?"

"We can't tell you."

"Can the problem be used to gain root access directly, or only access
as daemon or the like."

"We can't tell you."

I'm sure Gene will say "it was Sun's responsibility to fix your
problem". Well, that may be so, but on the other hand, it was my
responsibility to fix the problem -- if we'd had a penetration my
management would not have forgiven me on the basis that our vendor let
us down. I would have been fired -- deservedly. I didn't have time to
play childrens games about who could tell what to whom. I wasn't even
concerned about open disclosure as a matter of principle -- I just
wanted disclosure to ME as a matter of practical necessity.

Ultimately, I was forced to go to personal contacts to find out
sufficient information. There were people at Sun and personal friends
who understood that I had a multi-billion dollar brokerage and trading
operation to worry about; I got the impression the CERT people we
smart-assed college kids willing to jerk me around for the sake of
playing secret agent with information too valuable to tell. Certainly
nothing wouldhave happened to anyone at CERT were I penetrated -- I
doubt they have any accountability to anyone. No one there could even
give me a proceedure to clear myself as trustworthy -- there was
simply no way to get "there" from "here".

Perhaps you will say that it wasn't their function to help me. If
their function was not to help me, then why bother giving out their
phone number in the first place? Why send out alerts? Its a cruel
trick to hand someone a phone number and then have the person on the
other end as responsive as a rock.

Frankly, I'm glad bugtraq is here and I don't have to rely on them
anymore.


Perry