Bugtraq mailing list archives
Re: CERT does it again.
From: ahuger () silence secnet com (Alfred Huger)
Date: Tue, 22 Jul 1997 15:46:58 -0600
Re: CERT, Issues of credit (or lack thereof) and vulnerability advisories If memory serves me correctly, a similar thread carried it's way across this list in the not too distant past. As a rule, I like to remain silent on these issues; however I'm feeling pretty verbose today so excuse me while I expound on CERT, issues of credit and some personal observations on FIRST. SNI (the company for which I work) has a fair amount of experiance with bug reports, advisories etc. In the course of our own advisory writing we have learned a few things which I would like to impart to the rest you. First, people need to understand FIRST organizations (perhaps CERT in particular). FIRST organizations are by and large Incident Response based, pay some attention to this. Their primary role is to respond to constituents, provide them with support for break-ins, and on occasion notify them of currently abused software packages. Most FIRST organizations in the non-profit arena at least, are woefully if not wholly incapable of pro-active vulnerability assesment. There are a number of reasons for this. Primarily, their work load is stupefying in some cases, and most if not all of the non-profit FIRST groups are seriously understaffed. Please, note that this is not my attempt at being an apologist for FIRST (CERT in particular) I am simply stating some realities as I have seen them. The problem lies in the fact that organizations such as CERT have yet to come public and let the world know precisely what their capabilties are. They are *not* in most cases capable (for above mentioned reasons, and others) of doing vulnerability assesment. If you are interested in getting bugs fixed, go to the vendor, go fix it yourself or go public. Sending your bugs to CERT is pretty unsatisfying in most cases. While I am on this topic, let me dispell another myth. CERT and other IRT's have no more authority or pull than you as a user do with vendors. They get stonewalled and brushed off just like the rest of us. This is another thing they should be straight forward about. FIRST teams do not have a a magic contact at vendors which will see the bugs you send them fixed. To emphasize this, let me share a quote I recently heard from a vendor contact at the FIRST symposium in Bristol. Vendor contact: "Company X is a multi-billion dollar company, do you really think they are going to spin on a dime to fix a bug for you?". He continued to expound on the values of Bugtraq, and how he appreciates seeing bugs posted as it helps him save time having engineers research problems sent to him. Another issue, perhaps one more serious, is that most vendor security contacts whom you send mail to, have very little authority inside of their organization. They are in the uncomfortable situation of being the contact point for bugs, which they may very well like to see fixed, but have no authority to issue fixes for. Vendors are complicated money driven creatures. Never make the mistake of assuming they are benevolent in their dealings with you. Their bottom line is profit. Until security starts taking a bite out of their profit margins, security is going to continue to be neglected. FIRST groups simply cannot change vendor attitudes like this; however we as a purchasing public can. Free alternatives exist, use them. Purchase decisions fall inside the control of many people here, excercise it. Let vendors know you take security as a priority and that it affects your purchasing decisions. Now having said this, I will address CERT's serious and habitual prediliction for not giving credit etc. I think it's pretty dismal that they continue to do this. Seeing as they are housed at CMU, I wonder if a CMU academic honesty committee has any authority over them. Last time I checked, lack of credit and plagiarism are still serious offenses in the acedemic community. In closing let me state, that while some FIRST groups behave less than perfectly, and some vendors are borderline negligent in their behaviour, not all vendors or FIRST groups fall into this catagory. We tend to criticize but not compliment the vendors and FIRST groups. SNI has had *very* good experiences dealing with Sun (post Mark Graff era), HP, BSDI, the Apache developers, Stonghold, OpenBSD, FreeBSD as well some indvidual maintainers/vendors. We feel they deserve some credit for attempting to address the problems sent to them. As far as FIRST groups go, AUSCERT does a very good job. Credit where credit is due. /************************************************************************* Alfred Huger Phone: 403.262.9211 Secure Networks Inc. Fax: 403.262.9221 **************************************************************************/
Current thread:
- CERT does it again. dynamo () IME NET (Jul 22)
- Re: CERT does it again. Alfred Huger (Jul 22)
- <Possible follow-ups>
- Re: CERT does it again. Lawrence R. Rogers (Jul 22)
- Re: CERT does it again. dynamo () IME NET (Jul 22)
- Re: CERT does it again. Alfred Huger (Jul 22)