Re: CERT, CIAC, etc. unethical practices

[mkienenb () arsc edu (Mike Kienenberger)]

> By withholding information, CAIC and CERT are--in effect--shielding those
> sites that can't act quickly.  Yes, it's security by obscurity, and yes,
> it isn't as safe as a fix would be, but it *is* better than widespread
> distribution of an exploit.  It gives those system managers that don't
> have the time to jump on every obscure security hole, or who aren't
> *aware* of every security hole, to *learn* or to be told by someone in
> the know (such as a vendor).  Yes, it leaves them open for attack longer,
> but it also makes it more difficult for the casual cracker to get his
> hands on the information and cause problems.

Most security holes can be fixed by:
a) removing a setuid or setgid bit, or
b) providing a wrapper that corrects the path, the environment, or the
   arguments supplied to a program.

*IF* we knew about such problems, it'd be trivial to make a temporary
fix, even for a "below-average" system administrator.

Having even a shoddy patch is better than hoping that your site is
only attacked by below-average crackers.  Security by obscurity is
a poor decision to make if you've got other choices, and most of the
time you do.
---
Mike Kienenberger    Arctic Region Supercomputing Center
Systems Analyst      (907) 474-6842
mkienenb () arsc edu    http://www.arsc.edu