Re: CERT, CIAC, etc. unethical practices

[zen () trouble org (d)]

apropos () sover net said:
> The key issue here is respect for the *freedom* of intellectual property.
> The people of CERT shouldn't be making a judgement call on the people of
> Bugtraq.  People in Bugtraq are not, on the whole, posting code to be
> malicious, it's just that they believe in the free dissemination of
> information.

Sheesh, I'm not saying anything about *why* people are posting code.  And I
disagree it's about freedom of IP; it's a social issue, as you yourself
later in your own letter.  And people (including myself) make negative
judgement calls all the time about CERT - why is it surprising that they
do the same?

And when all they get is a "here's some code, fuck you" - do you think
they're going to work anymore with you on the problem?  Perhaps ask you
what you think of a proposed fix?


And don't even *think* that I'm arguing about the effectiveness of CERT's
actions.  I had reasons quitting, and as far as I can see, it hasn't
gotten any better, and that was a long time ago.

Chris Lavin <clavin () iag net> said:
> Well we tried this recently with Sun! Sun in no uncertain terms
> told us OH WELL!
> [...] We have tried the diplomatic route IT DON'T WORK!..

There are people in sun who *can* and have gotten some things done
(caspar.dik () sun com and brad.powell () sun com are really great outside
the normal loop, and at least in my experience mark graff will really try
to get something resolved) I didn't say it'd work every time, with sun
or anyone else, I was simply addressing one issue, that of getting
recognition.  And I'm sure other vendors have similar people there.

And apropos () SOVER NET said:

> CERT(s) are entirely unwilling to make any agreement
> with a third party (except possibly the vendors) about taking action on a
> given vulnerability.

Well, in the moderately recent rpc.statd CA:

> The CERT Coordination Center thanks Andrew Gross of the San Diego
> Supercomputer Center for reporting this problem...

I happen to know that andrew gave them exploit code, and yet he got kudos.

It happens.

I personally happen to think it's pretty sad that they *don't* give
recognition, regardless of the reasons.  Even if you said "fuck you, HP,
here's the latest" they could say something like "HP originally was
made aware of the problem by bug-o-the-day () foo bar."

But, we see time and again people here and other places not getting
recognition.  I am simply attempting to point out why I think this is,
not that I personally condone it or think that it's a good idea.

-- d