Re: UnixWare

[mouse () collatz mcrcim mcgill edu (der Mouse)]

> > No, but I had thought they [CERT] had advertised themselves as a
> > worthwhile place to report them [bugs], and my perception, and
> > apparently that of many other people here, is that this is not the
> > case.
> It depends on your definition of "useful."  If it is defined as "gets
> the bug reports to all the vendors without also disclosing it to any
> real or potential bad guys in the process; follows up the report to
> make sure that the vendors are maybe working on it; and then provides
> a wide-ranging, trusted announcement method to alert people when the
> fixes are available" then it *is* worthwhile.

True.  However, it's what you _haven't_ said that I consider important.

In particular, "without also disclosing it to any [...] bad guys": they
also don't alert the other white hats that there is any danger,
something that I consider must be done even if it means also telling
the black hats there's a vulnerability.  There are plenty of good
channels of communication among the Dark Side; if you really think that
confining your announcement of the hole to CERT will more than delay
the crackers briefly, I think you're deluding yourself.

If they really want to avoid spilling the beans entirely, CERT should
at _least_ announce something like "there is a vulnerability in <foo>,
we are working with vendors to develop patches" immediately, rather
than delaying until patches are available - which can take months.

As for "follows up [..] maybe working on it": your very words indicate
you're aware of the problem here: vendors often _aren't_ working on it,
and won't until forced to by public awareness of the problem - and they
know they can trust CERT to stay quiet and not kick up that awareness.

The only definitely positive portion left is the trusted channel for
announcing fixes.  And even that doesn't seem to be working; I still
haven't seen a CERT advisory about either of the last two sendmail
bugs.  Their mission - their very name - is to respond; I haven't seen
any sign of response at all.  Mercifully for the security of my system,
I no longer depend on them.

> However, if your definition of worthwhile is "Broadcasts details of
> the bug to only those people who are on a particular network or
> subscription list, including bad guys and hacker 'wannabes,' before
> there is any fix available" then [...] are varying degrees more
> "worthwhile."

All I can ever hope to do is broadcast to people who are listening;
that's all even CERT can do.  And if you really think there are no
black hats at CERT or the vendors CERT tells, again I think you're
deluding yourself.

As for "before there is any fix available", _I_ would certainly rather
know "<foo> is a security hole", even without a fix, than sit on my
thumbs because I don't know any better.  (Of course, I'd still rather
know enough about it to tell whether my particular version of <foo> is
vulnerable.)

Also, history indicates that fixes won't become available from vendors,
regardless of the seriousness of the problem, until enough white hats
find out to start kicking up a fuss.  But if full details are released,
fixes start appearing magically from all over the place, as different
people independently secure their systems.  The quickest way for _me_
to get a fix for _my_ system is, experience teaches, full disclosure.

That's why I don't feel CERT is worthwhile - they don't disclose until
forced to - and even an active problem - in the meantime they soak up
valuable bug reports that could well have provoked real fixes fast if
sent somewhere public instead.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu