1993-06-08 - Re: CERT: the letter from CERT to berkeley.edu admin

Header Data

From: Matt Blaze <mab@crypto.com>
To: smb@research.att.com
Message Hash: 3ae84586411e5997dcc3dc46a7a14ea377715db90cfa4248a9ba8c6401807bbd
Message ID: <9306082126.AA29129@crypto.com>
Reply To: <9306082022.AA25894@toad.com>
UTC Datetime: 1993-06-08 21:42:10 UTC
Raw Date: Tue, 8 Jun 93 14:42:10 PDT

Raw message

From: Matt Blaze <mab@crypto.com>
Date: Tue, 8 Jun 93 14:42:10 PDT
To: smb@research.att.com
Subject: Re: CERT: the letter from CERT to berkeley.edu admin
In-Reply-To: <9306082022.AA25894@toad.com>
Message-ID: <9306082126.AA29129@crypto.com>
MIME-Version: 1.0
Content-Type: text/plain



....
>
>If you asked CERT to justify such notes, they'd probably quote the
>following text from their press release on ftp.cert.org:
>
>	It will also serve as a focal point for the research community
>	for identification and repair of security vulnerabilities,
>	informal assessment of existing systems in the research
>	community, improvement to emergency response capability, and
>	user security awareness.
>
>``User security awareness'' sounds about right.
>
....

Steve,

I think CERT is off base with these notes.  The problem, to my eyes, is not
that they're notifying administrators of potential problems before they occur;
that's all well and good, and probably easily within their charter.  What I
take issue with is the underhanded manner in which they seem to be doing it.
According to the reports from soda and penet, the notes were not sent 
in response to any specific request from the sites in question, but rather
on the inititate of someone at CERT itself or in response to some vague
complaint from a third party.  Furthermore, the notes were sent
"above the heads" of the individual site adminstrators (perhaps to whoever
is listed in the domain contact at the NIC), apparently causing bad feelings
and misunderstanding in at least the two cases reported here.

If they had sent mail to the postmasters at the individual sites saying
"hey, did you know your machine has a writeable anonymous ftp directory?"
that's one thing.  I'd interpret that as a friendly and helpful gesture.
Instead, the impression is one of, at best, unwelcome meddling, or, at worst,
some kind of bizarre network-vigilantism.  If they find something they don't
like about one of my computers, who else are they going to send mail to?
My boss?  My mother?

I should point out that I've delt with CERT myself a couple of years ago
regarding an intruder on a machine I administered, and found them to be
nothing but helpful and professional.  Their assistance was, however, limited
to reacting to specific problems that I asked them to help with.  They never
initiated any kind of audit of my site or did anything that would make me feel
as if they were some kind of "net cop wannabes" who were "checking up" on
my computers.  I'd hate to see that image changing, because they have the
potential to provide an increasingly valuable service as the internet grows.

-matt






Thread