Bugtraq mailing list archives
Re: CERT, CIAC, etc. unethical practices
From: deraadt () cvs openbsd org (Theo de Raadt)
Date: Sun, 22 Dec 1996 13:44:25 -0700
tell everyone there's a problem. So what happens if you warn CERT before hand? According to several people on Bugtraq: Nothing.
Like for the new crontab/cron bugs? Paul Vixie and CERT were notified about the problems about 3 months ago. I'm sure we can all think of numerous cases where it's had zero impact. Thinking back, the Lotus case is very interesting because it's the first case where a bug has been a) found b) fixed c) properly credited *before* it hit bugtraq.
CERT doesn't seem to come up with many of it's own security alerts, when was the last time you saw a CERT alert that hadn't been posted to Bugtraq before hand? How can they flagrantly ignore the people who discover the security holes, when the people who discover the security holes are the only ones doing the dirty work.
I' probably going out on a limb when I suggest it is time to stop telling CERT ahead of time. Certainly I won't bother telling CERT anymore. There's no benefit to the community or me to spend the time writing them a letter. By the way, has any group besides OpenBSD taken any major preventative measures against ftp bounce attacks (whether they be dangerous, denial of service, or simply waste of paper...) Has anyone done a major cleanup of /tmp holes (ie. mktemp and friends)? Another thing that dismays me about the entire security field is is that nothing is getting fixed until an exploit exists.
Current thread:
- Re: CERT, CIAC, etc. unethical practices Apropos of Nothing (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Steve \ (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Theo de Raadt (Dec 22)
- <Possible follow-ups>
- Re: CERT, CIAC, etc. unethical practices d (Dec 22)
- Re: CERT, CIAC, etc. unethical practices Mike Kienenberger (Dec 22)