Bugtraq mailing list archives
Re: CERT/AUCERT
From: deraadt () cvs openbsd org (Theo de Raadt)
Date: Thu, 19 Dec 1996 17:15:28 -0700
Within the past few months, there has been a decisive trend in CERT/AUCERT's release of vulnerability notices.AUSCERT, I think it is.
Yeah, AUSCERT is starting to do a better job. CERT continues to suck. I think security problems will continue to be discussed in bugtraq first; however we must consider that AUSCERT has the ears of lots of other people. For example, the CIAC advisory earlier today that was simply an encapsulation of the AUSCERT cron advisory -- suddenly it goes out to a lot more people. CIAC responded to an AUSCERT posting, but they don't normally do that in response to similar bugtraq postings. AUSCERT isn't going to find the bugs, but they do promise a larger audience, more credibility, and greater vendor contact than bugtraq can provide. (Not that the vendor contact seems to matter much, I note Sun is still investigating the ping problem that everyone else has fixed.) I too would like to ask AUSCERT to start giving credit. If someone finds something new, they deserve it -- and in my memory it has NEVER been a vendors who deserves the credit. Yes, even SOD deserves credit -- I may not like how they are going about releasing the bugs but they are certainly proving a point. (I'd actually be thrilled to see Solaris/NT Bug of the Week groups formed). The myth that these holes will get fixed by vendors without this kind of pressure was dispelled a long time ago.
A bug appears on BugTraq, and within hours or days, a AUCERT or CERT vulnerability notice appears. That is a GoodThing(tm).
A CERT notice!? Surely you jest -- a fast response from them takes 3 weeks. If you want to know about new security problems you are well advised to ignore CERT advisories since your time is wasted reading them.
since, did I offend them? This really isn't a game of responsible CERTs vs dirty crackers, its just a matter of professionals sharing valuable knowledge.
CERT's recent actions make me believe that it is a matter of unresponsible (and unresponsive) CERTs vs... well, just some guys who like to discover something new. Personally I believe CERT is under vendor pressure to not release information.
In the case where there isn't one clearly defined author then probably the forum should be acknowledged, eg maybe with a reference to the bugtraq web archive site.
There are a number of people on bugtraq who can find out who such credit should be given to. For interests sake, I would also like to see a timeline of when the bug was discovered, exploited, first known about in a public forum, and when the advisory finally came out. I'm working on the OpenBSD operating system and we take credit very seriously (and we also take security VERY seriously ;-)
Current thread:
- Re: Possible Denial of Service: SSH, (continued)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Toomas Soome (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Sven Gestegard (Dec 18)
- Exploit for ppp bug (FreeBSD 2.1.0). Leshka Zakharoff (Dec 18)
- CIAC Bulletin H-17: cron/crontab Buffer Overrun Vulnerabilities David Crawford (Dec 19)
- NT vulnerable to attack on CPU Aleph One (Dec 19)
- CERT/AUCERT Mycroft (Dec 19)
- Re: CERT/AUCERT itudps (Dec 19)
- Re: CERT/AUCERT Aleph One (Dec 19)
- Re: CERT/AUCERT Theo de Raadt (Dec 19)
- Slow vendor response Alan Cox (Dec 20)
- CERT Bashing, etc Aleph One (Dec 19)
- Re: CERT/AUCERT Yuri Volobuev (Dec 19)
- Re: CERT/AUCERT Tung-Hui Hu (Dec 19)
- TCP bug on old Solaris box ? Gilles Soulet (Dec 20)
- Re: TCP bug on old Solaris box ? Nathan Lawson (Dec 21)
- Buffer overflow in Linux's login program Joe Zbiciak (Dec 22)
- Solaris 2.5 x86 aspppd (semi-exploitable-hole) Thamer Al-Herbish (Dec 20)
- CERT, CIAC, etc. and unethical practices Thamer Al-Herbish (Dec 20)
- ANNOUNCE: Crack v5.0a available... Alec Muffett (Dec 20)