Re: FIRST and CERT

[brunson () sun1 scri fsu edu (Eric Brunson)]

> Gene Spafford says:
> > If someone's site has been broken into, CERT will respond to the phone
> > 24 hours a day.  Maybe their response isn't always as complete as some
> > people on this list and elsewhere would like.  But they do respond,
> > and they do try to help sites get cleaned up after incidents and back
> > "on the air".  They have responded to thousands of incidents, many for
> > admins at sites who had no where else to turn and no clue what to do.
>
> I was in the position of calling up CERT during the last set of
> Sendmail trouble. They could tell me nothing of value. I was in a
> position of trying to decide whether the threat to the company I
> worked for was sufficient to shut down production work going on over
> the internet to defend us -- making the wrong decision, either way,
> would cost us big time. CERT was a useless lump of merde so far as I
> could tell.

[ Diatribe deleted ]

If there is one "useless lump or merde" sitting anywhere on the
Internet, it is Sun Micro.  If they had begun shipping a version of
sendmail that had closed up the known security holes when they were
discovered (has it been 3 years now?) half of these problems would
never have arisen.  I seem to that my first introduction to the
sendmail holes was back when SunOS 4.0.x was still a pretty neat
thing.  Then they proceeded to ship insecure sendmails with every
release through 4.1.3 along with a note to the effect of "we know this
is insecure, and the patch is available, but we are just too damn
slack to put it into the the release version."

As for CERT, I think you hit the nail on the head when you said that
your help came from "personal contacts", "personal friends" and
"people at Sun".  I.e. people who know you and your intentions along
with the people should have been responsible for getting it right in
the first place.  This is opposed to a high profile organization, who 
probably get calls from every pinhead on the internet thinking they
can bamboozle CERT into giving away some information that'll help them
get a copy of their programming languages final.

CERT has been very helpful in helping us clean up after one of our
systems (a sun, imagine that) had been compromised by some two-bit
hack with a box of pre-written tools that he most likely got from
someone else on the net.  They have also been prompt and forthright
with new information they've received from other sites this person has
targeted, as well as in coordinating the communication between us and
the ASSIST team, the .mil counterpart to CERT.

And as for the impression that CERT is a bunch of "smart-assed college
kids willing to jerk me around for the sake of playing secret
agent...", I'd like to state that the CERT investigator that has been
in contact with me has been nothing but professional, helpful and
knowledgable without delusions of grandeur about having all this
"information too valuable to tell."

And when you consider that CERT has a grand total of 14 whole people
to deal with an average of 7 new incidents every day, it's no wonder
they don't have time to give out cracking tips to every Joe Blow who
calls up and asks for them.  Perhaps your company would be better off
investing a little of their "multi-billion dollar" fortune on a system
that didn't have a list of security patches as long as my arm, and
perhaps even an administrator who is willing to do a little research
on his own before whining about not having the clue-book.

Let's put the blame back where it belongs, on the vendors who so
graciously supply us with these security-hole-ridden operating
systems.  And not just Sun, another of my favorite 3-letter OS vendors
loves to ship their machines with a "+" in the hosts.equiv file,
that's secure.

So that's my $.02, I guess I'll just sit here for a while and watch
the flames roll in, for a while.

Sincerely,
A Satisfied CERT Customer.

---------------------------------------------------------------------------
Eric Brunson                                           brunson () scri fsu edu
Unix System Manager / CM2 Manager                              904.644.0188
Supercomputer Computations Research Institute      Florida State University

"The juvenile sea squirt wanders through the sea searching for a
suitable rock or hunk of coral to cling to and make its home for life.
For this task it has a rudimentary nervous system. When it finds it's
spot and takes root, it doesn't need its brain any more so it eats it.
It's rather like getting tenure."
  _Consciousness_Explained_ by Daniel C. Dennett