Re: CERT, CIAC, etc. unethical practices

[deraadt () cvs openbsd org (Theo de Raadt)]

> tell everyone there's a problem.  So what happens if you warn CERT before
> hand?  According to several people on Bugtraq: Nothing.

Like for the new crontab/cron bugs?  Paul Vixie and CERT were notified
about the problems about 3 months ago.  I'm sure we can all think of
numerous cases where it's had zero impact.  Thinking back, the Lotus
case is very interesting because it's the first case where a bug has
been
        a) found
        b) fixed
        c) properly credited
*before* it hit bugtraq.

> CERT doesn't seem to come up with many of it's own security alerts, when
> was the last time you saw a CERT alert that hadn't been posted to Bugtraq
> before hand?  How can they flagrantly ignore the people who discover the
> security holes, when the people who discover the security holes are the
> only ones doing the dirty work.

I' probably going out on a limb when I suggest it is time to stop
telling CERT ahead of time.  Certainly I won't bother telling CERT
anymore.  There's no benefit to the community or me to spend the time
writing them a letter.

By the way, has any group besides OpenBSD taken any major preventative
measures against ftp bounce attacks (whether they be dangerous, denial
of service, or simply waste of paper...)

Has anyone done a major cleanup of /tmp holes (ie. mktemp and friends)?

Another thing that dismays me about the entire security field is is that
nothing is getting fixed until an exploit exists.