[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CERT: the letter from CERT to berkeley.edu admin
This thread is the first set of negative comments I've ever heard
about CERT.
>>> From: Clark Reynard <[email protected]>
>> Excepting the Morris Worm, can you name a SINGLE Computer Emergency
>> which CERT has halted? It is simply an organization to keep the
>> crypto-fascists wired into the net.
My experience with them in the past has been as a clearinghouse for
users to report security-related bugs to vendors, and for vendors to
provide fixed back to users. They've done an admirable job at this;
the major complaint is that they are too slow. They also help
distribute tools like COPS to validate unix workstation security.
They are a proactive organization, not a reactive organization, so
it's meaningless to ask what "Computer Emergencies" CERT has "halted".
I think that calling them "crypto-fascists" is at best an unsupported
smear, and at worst slanderous.
>>> From: peter honeyman <[email protected]>
>> i am disappointed to hear these stories about cert, but encourage others
>> with tales to tell to step forward. this is a real eye-opener.
I agree with Peter. If CERT is beginning to overstep its bounds
perhaps someone should make a calm, rational complaint.
>> > From: [email protected] (Mark Eichin)
>> Umm, I thought CERT was a purely commercial organization, rather than
>> a government one... did I miss something?
from the cert_faq, available as cert.org:/pub/cert_faq:
CERT is sponsored by the Advanced Research Projects Agency (ARPA). The
Software Engineering Institute is sponsored by the U.S. Department of
Defense.
Well, it's not a Government agency, but it's money certainly seems to
come from there.
Anyway, what I see here is an organization, founded for good reasons,
which is getting a little out of hand. Rather than going ballistic,
slandering CERT, and claiming they've never done anything of value, I
think we should approach this as an internal problem at CERT.
Currently, there is a big problem on the Internet with randoms using
anonymous dropoff points to trade commercial software illegally. CERT
accepts reports of these problems. In many cases, I imagine, they are
accurate, and the host admins are glad to have the CERT tell them
about it. What we have here, I think, is a few malicious individuals
or groups, who are using the CERT as a weapon against hapless ftp and
mail sites. This problem could be easily alleviated by CERT checking
up on such reports before passing them on to host or domain admins. I
think Julf's example is a good one. A site not running ftp is not
trading in illegal software via ftp. Period.
Idea for Eric: Send a letter to the RISKS Digest <[email protected]>
and <[email protected]>, documenting the RISKS of a "computer security"
organization becoming overzealous, and not researching problems which
have been reported before sending reports to host and/or domain
administrators. Include the letter you forwarded to us, and mention
Julf's problem. Perhaps others will even mention similar problems. I
think this will have the desired effect.
Marc