Re: CERT, CIAC, etc. unethical practices

[scoile () patriot net (Steve \)]

First, let me make clear that I'd prefer to see exploit information more
widely distributed.  It certainly makes it easier for me, as a systems
administrator, to judge the severity of the problem than the traditional,
nebulous "we have identified a problem" statement.

I imagine that these organizations are looking at the situation from a
much more practical standpoint than many of us are.  Bear in mind that
those who participate in BugTraq are, I would guess, on average much
more experienced and security-conscious than the average system and
network managers.  We have (or make) the time to keep-up, and we know
enough to competently assess the problems discussed here.  We benefit
by the swift trasmission of information because we know enough to attack
the problems quickly.  I submit that we are atypical, that the *average*
systems manager doesn't have the skills necessary to hack the kernel
or throw together a program to correct a problem.  I submit that the
average systems manager is at the mercy of the vendors, and must either
wait for a fix from a vendor, or pay through the nose for a solution
that interferes with their support contracts.

By withholding information, CAIC and CERT are--in effect--shielding those
sites that can't act quickly.  Yes, it's security by obscurity, and yes,
it isn't as safe as a fix would be, but it *is* better than widespread
distribution of an exploit.  It gives those system managers that don't
have the time to jump on every obscure security hole, or who aren't
*aware* of every security hole, to *learn* or to be told by someone in
the know (such as a vendor).  Yes, it leaves them open for attack longer,
but it also makes it more difficult for the casual cracker to get his
hands on the information and cause problems.

The problem is a practical one: there simply *are* and *always will be*
a non-trivial number of systems that *don't* have dedicated systems
managers, than *can't* be fixed quickly, and that *are* subject to
vendor constraints.  We can ignore these people and steamroll over
them by broadcasting every hole to every cracker in existance with the
hope that vendors will become more responsive, or we can strive to
acheive a reasonable medium where information is available to those
that want the details, and that announcements are made to provide an
overview of the problem.  Frankly, I think we're already there, since
problem descriptions are available to those that seek them out (BugTraq),
exploits are available to those that seek them out (BugTraq), and overview
announcements are made to those that don't have the time, experience,
or skill to work independenly of their vendors (CERT, CAIC, etc.).

The information is already out there, and it's freely accessible.
If someone doesn't like the way CERT and CAIC do business, start your own
announcement service.  CERT and CAIC, I'm sure, feel justified in the
way they distribute alerts.  Given how trivial it is to put together a
mailing list and to advertise it, there's no reason someone else couldn't
pick up the baton and run just as far as CERT and CAIC have.

On the issue of attribution, I wonder if there might be a legal reason
to *not* reveal sources.  Several possibilities (and I'm no lawyer,
so this is speculation):

+ Insufficient research on a problem prior to an announcement results
  in an inaccurate announcement.  The repulation of a vendor suffers
  because of an inaccurate or incomplete announcement.  The vendor could
  sue for libel.

+ Exploits are distributed that are used to attack machines that provide
  critical services, resulting in the loss of life.  Could the author
  of the exploit be held libel for negligence or reckless endangerment?

+ A problem is revealed and exploit provided by a very well known,
  disreputable group.  Many system managers choose to ignore the
  announcement because of the group's reputation.

The non-attribution policy is especially effective against the thrid.
CERT has a very good reputation.  If CERT associates itself with
less-reputable organizations, it stands to lose its own good standing,
which makes it less effective.  By failing to attribute the originator
of the report, the credibility of the originator is not longer a question.

--
    Steve Coile           P a t r i o t  N e t      Systems Engineering
 scoile () patriot net      Patriot Computer Group        (703) 277-7737