Re: CERT, CIAC, etc. unethical practices

[apropos () sover net (Apropos of Nothing)]

The key issue here is respect for the *freedom* of intellectual property.
The people of CERT shouldn't be making a judgement call on the people of
Bugtraq.  People in Bugtraq are not, on the whole, posting code to be
malicious, it's just that they believe in the free dissemination of
information.

CERT's, CIAC's, and others' policies seem to be supporting everything but
the free dissemination of information.  Here's why:

CERT (I'll use CERT as an exmaple), releases code only when someone else
has publicly warned of the hole.    Does this spread the message of an
organization trying to be informative?  No, CERT tries to keep holes quiet
until absolute dire straights.  Take the message from Alan Cox, about slow
vendor response,  let's all take bets on how fast the patch is going to
come now that the exploit has been revealed.  Face it, there has come a
time when the only way to prompt a patch or public security notice is to
tell everyone there's a problem.  So what happens if you warn CERT before
hand?  According to several people on Bugtraq: Nothing.

The next problem is, of course, that CERT refuses to recognize the people
who found a given hole in the first place.  I won't go into this issue
since it's been beaten to a dead pulp already.

CERT doesn't seem to come up with many of it's own security alerts, when
was the last time you saw a CERT alert that hadn't been posted to Bugtraq
before hand?  How can they flagrantly ignore the people who discover the
security holes, when the people who discover the security holes are the
only ones doing the dirty work.

Finaly, CERT makes a pointed effort to hide expoit information, their
advisories can extremely cryptic for this reason, and sometimes they don't
even release a patch because it would give away the expoit.  Is this free
information?  You tell me.

I hope you can see why these company policies need changing.  Since the
fault here is not a legal one, but rather a moral one, social action is the
only recourse.  I propose a letter writing campaign (this does not mean, I
repeat DOES NOT MEAN a mail bombing campaign).  Everyone should write well
thought out letters to the following addresses:

CERT
- - - - - - -
Email:   cert () cert org

CIAC
- - - - - - -
 Email:   ciac () llnl gov

FreeBSD
- - - - - - -
Confidential contacts:          security-officer () freebsd org
Security public discussion:     security () freebsd org

SGI
- - - - - - -
Email:     cse-security-alert () csd sgi com

SUN
- - - - - - -
Email:     security-alert () Sun COM

Of course, If you feel like your messages are getting ignored at the above
adresses, just send the same message to the root user at the server.

Apropos of Nothing