Re: CERT Funding

[Matthew J Ghio <mg5n+@andrew.cmu.edu>]

Brad Huntting <huntting@glarp.com> wrote:

> > Anyone have any more information about how much CERT spends annually,
> > and where it comes from?  Or should we just assume it is the NSA?
>
> The main gripe most people have about CERT is that they are way
> slow.  Could it be that they systematically inform some parties
> before others, and that it just so happens that the public at large
> is the last to know and the US intelegence community is the first?

From alt.security:

---------- Forwarded message begins here ----------

From: Paul <PAUL@TDR.COM>
Newsgroups: tdr.general,digex.general,alt.security,comp.security.misc
Subject: New List on Computer/Telephone Problems/Bugs/Viruses/Dangers
Date: Sun, 20 Feb 1994 01:05:00 -0500 (EST)
Organization: Tansin A. Darcos & Company, Silver Spring MD
Lines: 72
Message-ID: <9402200105.PAUL@TDR.COM>
NNTP-Posting-Host: access2.digex.net
Followups-To: tdr.general
Xref: bb3.andrew.cmu.edu alt.security:5909 comp.security.misc:5565

This is to announce the creation of a list and newsgroup for the public
disclosure of bugs, system problems, viruses, and any other conditions in
a computer system that people should be aware of so they can fix the
problem. 

It is also appropriate to report security holes, dangerous conditions in
PBXs, cellular and wire telephone systems, and other computer-controlled
devices.  Also reports of things such as default accounts and passwords on
systems that should be changed, etc.

The focus will be on reporting clear descriptions of problems including
how to generate them.  The idea being that this will alert people to the
nature of certain problems that they might be unaware of.  Reproducing
these conditions lets others know what is being done, and can allow people
to post solutions on how to block them.  

The purpose in creating this outlet is that currently, the only means
currently available for reporting discovered security holes in computer
systems and possibly other areas is via the Computer Emergency Research
Team (CERT) out of Carnegie Mellon University. 

The problem with CERT reporting is that the reports generally tend to be
done in secrecy, and it fails to let system administrators and others know
about what is happening so that these things can be fixed.  In short, CERT
acts like a black hole and takes too long to publicize problems until lots
of places get hit because they didn't know about it.

Some people feel that reports should not be publicized because potential
reports might become available to "the bad guys."  Well, the truth of the
matter is that "the bad guys" trade their discoveries around all the time;
the current use of secrecy is only hurting "the good guys" who want to
protect their systems.

There will be two addresses.  The general list will be

PROBLEMS@TDR.COM 

which is used to post a report to the list.   Postings may also be made 
by facsimile to +1 301 492 7617 to the attention of Paul Robinson, or by
telex to USA telex number 6505066432; the answerback is '6505066432MCI UW'.

If your site receives all or most newsgroups, the list is echoed to the 
group tdr.problems.  If you do not receive that hierachy (or prefer to 
receive it as mail), you can subscribe.

To subscribe to the list, or to post a report to me that you do not wish 
to be publicly identified as the sender, use

PROBLEMS-REQUEST@TDR.COM

Currently, both addresses are moderated.  This may change as I upgrade the
software on my system.  Persons wishing to make a report but not be
identified should send the message to me at PROBLEMS-REQUEST and state so
in the text of their message.

Persons wanting to receive this service by facsimile should contact me for
details.  All messages requesting subscriptions or posting information
will be acknowledged.  Please pass this announcement around.

It is my intent to set this up such that people can publicly report known
bugs, viruses and problems in clear detail so everyone knows about them
and can encourage much faster response to these problems than is currently
available.  It may even embarass some manufacturers into making fixes
sooner when their errors are glaringly exposed in public.

---
Paul Robinson - Paul@TDR.COM
-----
The following Automatic Fortune Cookie was selected only for this message:

Never call a man a fool; borrow from him.