Bugtraq mailing list archives
Re: CERT, CIAC, etc. unethical practices
From: scoile () patriot net (Steve \)
Date: Sun, 22 Dec 1996 15:26:50 -0500
First, let me make clear that I'd prefer to see exploit information more widely distributed. It certainly makes it easier for me, as a systems administrator, to judge the severity of the problem than the traditional, nebulous "we have identified a problem" statement. I imagine that these organizations are looking at the situation from a much more practical standpoint than many of us are. Bear in mind that those who participate in BugTraq are, I would guess, on average much more experienced and security-conscious than the average system and network managers. We have (or make) the time to keep-up, and we know enough to competently assess the problems discussed here. We benefit by the swift trasmission of information because we know enough to attack the problems quickly. I submit that we are atypical, that the *average* systems manager doesn't have the skills necessary to hack the kernel or throw together a program to correct a problem. I submit that the average systems manager is at the mercy of the vendors, and must either wait for a fix from a vendor, or pay through the nose for a solution that interferes with their support contracts. By withholding information, CAIC and CERT are--in effect--shielding those sites that can't act quickly. Yes, it's security by obscurity, and yes, it isn't as safe as a fix would be, but it *is* better than widespread distribution of an exploit. It gives those system managers that don't have the time to jump on every obscure security hole, or who aren't *aware* of every security hole, to *learn* or to be told by someone in the know (such as a vendor). Yes, it leaves them open for attack longer, but it also makes it more difficult for the casual cracker to get his hands on the information and cause problems. The problem is a practical one: there simply *are* and *always will be* a non-trivial number of systems that *don't* have dedicated systems managers, than *can't* be fixed quickly, and that *are* subject to vendor constraints. We can ignore these people and steamroll over them by broadcasting every hole to every cracker in existance with the hope that vendors will become more responsive, or we can strive to acheive a reasonable medium where information is available to those that want the details, and that announcements are made to provide an overview of the problem. Frankly, I think we're already there, since problem descriptions are available to those that seek them out (BugTraq), exploits are available to those that seek them out (BugTraq), and overview announcements are made to those that don't have the time, experience, or skill to work independenly of their vendors (CERT, CAIC, etc.). The information is already out there, and it's freely accessible. If someone doesn't like the way CERT and CAIC do business, start your own announcement service. CERT and CAIC, I'm sure, feel justified in the way they distribute alerts. Given how trivial it is to put together a mailing list and to advertise it, there's no reason someone else couldn't pick up the baton and run just as far as CERT and CAIC have. On the issue of attribution, I wonder if there might be a legal reason to *not* reveal sources. Several possibilities (and I'm no lawyer, so this is speculation): + Insufficient research on a problem prior to an announcement results in an inaccurate announcement. The repulation of a vendor suffers because of an inaccurate or incomplete announcement. The vendor could sue for libel. + Exploits are distributed that are used to attack machines that provide critical services, resulting in the loss of life. Could the author of the exploit be held libel for negligence or reckless endangerment? + A problem is revealed and exploit provided by a very well known, disreputable group. Many system managers choose to ignore the announcement because of the group's reputation. The non-attribution policy is especially effective against the thrid. CERT has a very good reputation. If CERT associates itself with less-reputable organizations, it stands to lose its own good standing, which makes it less effective. By failing to attribute the originator of the report, the credibility of the originator is not longer a question. -- Steve Coile P a t r i o t N e t Systems Engineering scoile () patriot net Patriot Computer Group (703) 277-7737
Current thread:
- Re: CERT, CIAC, etc. unethical practices Apropos of Nothing (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Steve \ (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Theo de Raadt (Dec 22)
- <Possible follow-ups>
- Re: CERT, CIAC, etc. unethical practices d (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Mike Kienenberger (Dec 22)