From: rclark@nyx.cs.du.edu (Robert W. F. Clark)
Date: Thu, 10 Jun 93 04:46:52 PDT
To: cypherpunks@toad.com
Subject: Forward of my message to CERT
Message-ID: <9306101147.AA20953@nyx.cs.du.edu>
MIME-Version: 1.0
Content-Type: text/plain


Dear Moira,
I was somewhat disturbed to note the recent actions of CERT with
regard to Johan Helsingius' site anon.penet.fi; and with
regard to the cypherpunks' archive at soda.berkeley.edu.  

I read a clarification of your position which appeared to regret
any inconvenience these actions and others may have caused, it
still seemed that you do not intend to exercise any more caution
in the phrasing of your message.  While the message disclaims
that you have verified the information included in it, it still
bears the phrasing of an accusation, not an advisory.

While it is certainly laudable to bring potential security problems
to the attention of system administrators and users, the method
in which this was done, and those to whom you mentioned it, cause
me serious doubts as to the effectiveness of your actions.

In the first case, that of Johann Helsingius, you did not notify
the system administrator but the domain manager for all Finland.
Not only is the domain manager in no position to patch potential
security holes in a local system, but additionally he probably
has more important tasks than checking out false reports.

Allegations were made by an unnamed officer of CERT that the
site was illegally distributing software by anonymous ftp; whereas,
even the most rudimentary efforts at verification would have revealed that
the site in question does not operate anonymous ftp.

It is neither sensible nor equitable to contact a domain
administrator without even contacting the administrator of the questionable
system; especially the domain administrator of an entire sovereign
nation.  Certainly, if CERT can not even bother to take the time of
even a preliminary verification of their reports before announcing them,
certainly it seems to be an imposition to demand that the domain
administrator of an entire country spend time investigating spurious
reports.

If there is suspicion that a particular machine has been compromised,
and is thus an insecure method of contacting the administrator, perhaps
contacting the administrator by postal mail or by telephone would
be more sensible than contacting the administrator of all the machines
in Finland.  Certainly if the machine itself is compromised, it is
quite possible that the entire domain is also compromised, and email
may be insecure and easily available to hostile third parties.

With the additional implication in the ominous form letter you mail
that the person responsible for the machine may be involved in illegal
activities, the potential for abuse of CERT by people filing false
reports is, though perhaps not in itself a "computer emergency,"
is certainly something which you ought to consider in your standard
procedures.

As sites which use TCP/IP without providing for authentication are
considered security holes, so is a Computer Emergency Response Team
which does the same thing, that is, simply relays accusations
without any authentication of their veracity.  

Considering the possible damage to the reputations of persons not
involved in illegal activity, and the disruption of services which
results when such accusations are made, actions of this sort are
retrogressive and represent as significant a threat to the systems
as would a 'denial of service' attack.

Please be more careful in the future when relaying such messages.
----
Robert W. F. Clark
rclark@nyx.cs.du.edu