Bugtraq mailing list archives
Re: CERT/AUCERT
From: itudps () ntx city unisa edu au (itudps)
Date: Fri, 20 Dec 1996 09:32:05 +1030
Within the past few months, there has been a decisive trend in CERT/AUCERT's release of vulnerability notices.
AUSCERT, I think it is.
A bug appears on BugTraq, and within hours or days, a AUCERT or CERT vulnerability notice appears. That is a GoodThing(tm). However. In these notices, CERT/AUCERT has failed to credit the authors of those exploits. Now, yes, it is entirely possible CERT/AUCERT has known about these holes for ages, and just decided not to release a vulnerability notice. Of course, that can't be true, because that would make them willing accomplices to break-ins. So, assuming that they didn't know about these holes, and the way too coincidental timing issue, I would have to say AUCERT/CERT owes a number of people an apology, at the very least.
I politely asked CERT about this. "Not our policy to acknolwedge", to paraphrase the response. Then I pointed out that they *always* bend over backwards to acknowledge computer companies and the other CERT (whichever one is doing the announce) to the point of effusiveness at times. No reply since, did I offend them? This really isn't a game of responsible CERTs vs dirty crackers, its just a matter of professionals sharing valuable knowledge. Knowledge which is significant enough to be worth a lot of money to a lot of people, regardless of intellectual property laws.They should be far more careful, and apply common decency besides. It seems to me that they might have a case for not acknowledging when all that was posted was an exploit, not a fix. However when both are posted together it smacks of plagurism to me to repost another version of the fix without acknowledgement. By this logic the author of the recent SGI stuff should get a mention but SOD should not, since SOD don't (as far as I can recollect) publish fixes as well. In the case where there isn't one clearly defined author then probably the forum should be acknowledged, eg maybe with a reference to the bugtraq web archive site. This will spread knowledge of both the good and the bad, but if xCERT want to use other people's brains they must deal professionally with us. -- Dan Shearer email: Dan.Shearer () UniSA edu au Information Technology Unit Phone: +61 8 302 3479 University of South Australia Fax : +61 8 302 3385
Current thread:
- Possible Denial of Service: SSH Sean B. Hamor (Dec 17)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Toomas Soome (Dec 18)
- Re: Possible Denial of Service: SSH Jim Dennis (Dec 18)
- Re: Possible Denial of Service: SSH Sven Gestegard (Dec 18)
- Exploit for ppp bug (FreeBSD 2.1.0). Leshka Zakharoff (Dec 18)
- CIAC Bulletin H-17: cron/crontab Buffer Overrun Vulnerabilities David Crawford (Dec 19)
- NT vulnerable to attack on CPU Aleph One (Dec 19)
- CERT/AUCERT Mycroft (Dec 19)
- Re: CERT/AUCERT itudps (Dec 19)
- Re: CERT/AUCERT Aleph One (Dec 19)
- Re: CERT/AUCERT Theo de Raadt (Dec 19)
- Slow vendor response Alan Cox (Dec 20)
- CERT Bashing, etc Aleph One (Dec 19)
- Re: CERT/AUCERT Yuri Volobuev (Dec 19)
- Re: CERT/AUCERT Tung-Hui Hu (Dec 19)
- TCP bug on old Solaris box ? Gilles Soulet (Dec 20)
- Re: TCP bug on old Solaris box ? Nathan Lawson (Dec 21)
- Buffer overflow in Linux's login program Joe Zbiciak (Dec 22)
- Solaris 2.5 x86 aspppd (semi-exploitable-hole) Thamer Al-Herbish (Dec 20)
- Re: Possible Denial of Service: SSH Paul Wouters (Dec 18)