From: Marc Horowitz <marc@GZA.COM>
Date: Tue, 8 Jun 93 10:05:32 PDT
To: Eric Hughes <hughes@soda.berkeley.edu>
Subject: Re: CERT: the letter from CERT to berkeley.edu admin
In-Reply-To: <9306081620.AA07331@soda.berkeley.edu>
Message-ID: <9306081705.AA13681@dun-dun-noodles.aktis.com>
MIME-Version: 1.0
Content-Type: text/plain


This thread is the first set of negative comments I've ever heard
about CERT.  

>>> From: Clark Reynard <clark@metal.psu.edu>
>> Excepting the Morris Worm, can you name a SINGLE Computer Emergency
>> which CERT has halted?  It is simply an organization to keep the
>> crypto-fascists wired into the net.

My experience with them in the past has been as a clearinghouse for
users to report security-related bugs to vendors, and for vendors to
provide fixed back to users.  They've done an admirable job at this;
the major complaint is that they are too slow.  They also help
distribute tools like COPS to validate unix workstation security.
They are a proactive organization, not a reactive organization, so
it's meaningless to ask what "Computer Emergencies" CERT has "halted".

I think that calling them "crypto-fascists" is at best an unsupported
smear, and at worst slanderous.

>>> From: peter honeyman <honey@citi.umich.edu>
>> i am disappointed to hear these stories about cert, but encourage others
>> with tales to tell to step forward.  this is a real eye-opener.

I agree with Peter.  If CERT is beginning to overstep its bounds
perhaps someone should make a calm, rational complaint.

>> > From: eichin@cygnus.com (Mark Eichin)
>> Umm, I thought CERT was a purely commercial organization, rather than
>> a government one... did I miss something? 

from the cert_faq, available as cert.org:/pub/cert_faq:

    CERT is sponsored by the Advanced Research Projects Agency (ARPA). The
    Software Engineering Institute is sponsored by the U.S. Department of
    Defense. 

Well, it's not a Government agency, but it's money certainly seems to
come from there.

Anyway, what I see here is an organization, founded for good reasons,
which is getting a little out of hand.  Rather than going ballistic,
slandering CERT, and claiming they've never done anything of value, I
think we should approach this as an internal problem at CERT.
Currently, there is a big problem on the Internet with randoms using
anonymous dropoff points to trade commercial software illegally.  CERT
accepts reports of these problems.  In many cases, I imagine, they are
accurate, and the host admins are glad to have the CERT tell them
about it.  What we have here, I think, is a few malicious individuals
or groups, who are using the CERT as a weapon against hapless ftp and
mail sites.  This problem could be easily alleviated by CERT checking
up on such reports before passing them on to host or domain admins.  I
think Julf's example is a good one.  A site not running ftp is not
trading in illegal software via ftp.  Period.

Idea for Eric: Send a letter to the RISKS Digest <risks@csi.sri.com>
and <cert@cert.org>, documenting the RISKS of a "computer security"
organization becoming overzealous, and not researching problems which
have been reported before sending reports to host and/or domain
administrators.  Include the letter you forwarded to us, and mention
Julf's problem.  Perhaps others will even mention similar problems.  I
think this will have the desired effect.

		Marc