Bugtraq mailing list archives
Re: CERT, CIAC, etc. and unethical practices
From: joshd () cs umd edu (Joshua Daymont)
Date: Sun, 22 Dec 1996 13:05:42 -0500
While one could easily understand the CERT(s) getting angry at full disclosure groups which sometimes scoop CERT without warning them . I still do not understand the CERTs' attitudes towards some full disclosure groups and many individuals who are mainly interested in getting the holes fixed and are perfectly willing/happy to cooperate with vendors and CERT(s). The impression I've gotten, and has been reinforced second hand by others is that the CERT(s) are entirely unwilling to make any agreement with a third party (except possibly the vendors) about taking action on a given vulnerability. On top of this most people I know who've handed things to the CERT(s) not only do not receive a reply, but we do not see any visible action taken even after a month or more. While certainly there are some people out there who are more interested in showing the 'net that they know something about security more than they want to fix holes, I think the vast majority of people posting information to places like bugtraq would be willing and in fact happy to cooperate with the CERT(s). The prevailing feeling I get is that it is the CERT(s) who does not want to cooperate with them, and not vice versa (disclaimer: this is based on my talks with individuals and I could be wrong about people in general). Certianly Dan, as you say there are some groups/people who have a sort of 'in your face' attitude(SoD comes to mind). But in general these groups/people are a small minority. 8lgm, ASR(with minor exceptions), Dave Meltzer, The L0pht, etc and most others did/do make a point to be as professional as possible. Josh On Sat, 21 Dec 1996, d wrote:
While I applaud lotus, and not to be a wet blanket or anything, I think that more companies would be more enthusiastic about acknowledging contributions of the people on these lists if they perceived us working with them, rather than against them. Posting code to a list & telling the world in no uncertain terms that you think that they are complete assholes and idiots is not the best way to make friends with them. If you don't want to be friendly with 'em, I don't care myself - it's a free world (at least in many places.) Just don't be too surprised when they say, essentially "fuck you" right back at ya by not giving you credit that you definitely deserve. One of the most effective things that I've seen (from working at cert and at a couple of unix vendors), that is, if you want some sort of credit, is to simply notify the vendor/developers/CERTs/whatever of the problem *before* posting it to the list. Give them a bit of time work out a fix, and *then* post the details. You might say that you don't know who to send things to or that they will just take too long to fix it and it's not worth your time, but I sometimes wonder how often people have even tried this approach lately - certainly I haven't seen much complaining lately about trying to talk to them *before* posting it on a list. There are often sympathetic ears at some of these companies, although it can be hard to find them (and perhaps if anyone ever does find one at any company it might be worth posting about it and telling the rest of us who to contact in the future). Again, I think it's great what lotus did, and I'm certainly all for places like the l0pht and yuri and sod and so on (just to name a few places) - it's obvious that there are a lot of bright and talented people out here. But I haven't seen much talent in the ol' PR dept. lately. Just some thoughts - -- d
Current thread:
- Re: CERT, CIAC, etc. and unethical practices d (Dec 21)
- Re: CERT, CIAC, etc. and unethical practices Chris Lavin (Dec 22)
- Re: CERT, CIAC, etc. and unethical practices Joshua Daymont (Dec 22)
- <Possible follow-ups>
- Re: CERT, CIAC, etc. and unethical practices Catherine Allen (Dec 22)