Re: CERT, CIAC, etc. and unethical practices

[joshd () cs umd edu (Joshua Daymont)]

While one could easily understand the CERT(s) getting angry at full
disclosure groups which sometimes scoop CERT without warning them .  I
still do not understand the CERTs' attitudes towards some full disclosure
groups and many individuals who are mainly interested in getting the holes
fixed and are perfectly willing/happy to cooperate with vendors and
CERT(s).  The impression I've gotten, and has been reinforced second hand
by others is that the CERT(s) are entirely unwilling to make any agreement
with a third party (except possibly the vendors) about taking action on a
given vulnerability.  On top of this most people I know who've handed
things to the CERT(s) not only do not receive a reply, but
we do not see any visible action taken even after a month or more.  While
certainly there are some people out there who are more interested in
showing the 'net that they know something about security more than
they want to fix holes, I think the vast majority of people posting
information to places like bugtraq would be willing and in fact happy to
cooperate with the CERT(s).  The prevailing feeling I get is that it is
the CERT(s) who does not want to cooperate with them, and not vice versa
(disclaimer: this is based on my talks with individuals and I could be
wrong about people in general).

Certianly Dan, as you say there are some groups/people who have a sort of
'in your face' attitude(SoD comes to mind).  But in general these
groups/people are a small minority.  8lgm, ASR(with minor exceptions),
Dave Meltzer, The L0pht, etc and most others did/do make a point to be as
professional as possible.

Josh

On Sat, 21 Dec 1996, d wrote:

> While I applaud lotus, and not to be a wet blanket or anything, I
> think that more companies would be more enthusiastic about acknowledging
> contributions of the people on these lists if they perceived us working
> with them, rather than against them.  Posting code to a list & telling the
> world in no uncertain terms that you think that they are complete
> assholes and idiots is not the best way to make friends with them.
> If you don't want to be friendly with 'em, I don't care myself - it's
> a free world (at least in many places.)  Just don't be too surprised when
> they say, essentially "fuck you" right back at ya by not giving you credit
> that you definitely deserve.
>
> One of the most effective things that I've seen (from working at cert and
> at a couple of unix vendors), that is, if you want some sort of credit,
> is to simply notify the vendor/developers/CERTs/whatever of the problem
> *before* posting it to the list.  Give them a bit of time work out a
> fix, and *then* post the details.  You might say that you don't know
> who to send things to or that they will just take too long to fix it
> and it's not worth your time, but I sometimes wonder how often people have
> even tried this approach lately - certainly I haven't seen much
> complaining lately about trying to talk to them *before* posting it on
> a list.  There are often sympathetic ears at some of these companies,
> although it can be hard to find them (and perhaps if anyone ever does
> find one at any company it might be worth posting about it and telling the
> rest of us who to contact in the future).
>
> Again, I think it's great what lotus did, and I'm certainly all for
> places like the l0pht and yuri and sod and so on (just to name a few
> places) - it's obvious that there are a lot of bright and talented
> people out here.  But I haven't seen much talent in the ol' PR dept.
> lately.
>
> Just some thoughts -
>
> -- d