1993-06-08 - Re: CERT: the letter from CERT to berkeley.edu admin

Header Data

From: smb@research.att.com
To: peter honeyman <honey@citi.umich.edu>
Message Hash: 43f4885d7439a2ed342cb3ae84287a55616f605d221dc5786c6a7db85f637b1b
Message ID: <9306082022.AA25894@toad.com>
Reply To: N/A
UTC Datetime: 1993-06-08 20:22:05 UTC
Raw Date: Tue, 8 Jun 93 13:22:05 PDT

Raw message

From: smb@research.att.com
Date: Tue, 8 Jun 93 13:22:05 PDT
To: peter honeyman <honey@citi.umich.edu>
Subject: Re: CERT: the letter from CERT to berkeley.edu admin
Message-ID: <9306082022.AA25894@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


	 steve, like eric, i feel that cert is overstepping their charter
	 by engaging in law enforcement activities.  what's your feeling
	 on the matter?  don't you agree that this could jeopardize their
	 ability to do the work they are chartered to do?

Law enforcement?  It's law enforcement if they do more than notify the
owner of the site.  Most such sites welcome the notifications *if* (and
it's a big ``if'') their machines are being abused by outsiders.

If CERT is going out and looking for pirated software, or if they try
to take any action to enforce their notes -- then, I do agree with both
of you; such actions are beyond their charter.  (Though one can argue
that clandestine distribution of malware would fall be an exception.  I
specify ``clandestine'' because one could entertain a reasonable
suspicion that the motives of such distributors was not purely
educational...)

If you asked CERT to justify such notes, they'd probably quote the
following text from their press release on ftp.cert.org:

	It will also serve as a focal point for the research community
	for identification and repair of security vulnerabilities,
	informal assessment of existing systems in the research
	community, improvement to emergency response capability, and
	user security awareness.

``User security awareness'' sounds about right.

Look -- CERT did not demand that the ftp area be shut down, they did
not threaten to cut the machine off from the Internet, they didn't (as
far as I know) turn the note over to the FBI or the Secret Service, and
they didn't mention PGP or ``dirty GIFs''.  They simply *informed* the
administrator, in a polite way, of information that that administrator
probably wants to hear.  (I've had occasion to notify various system
administrators of the same sort of thing.  They were all grateful
for the report.)  The overly-hasty  response came from Eric's end.
What the administrator's response should be if RSADSI sent a note
about PGP is another matter.  This is CERT, and they're talking about
pirated software.

		--Steve Bellovin

Disclaimer:  I'm on friendly terms with CERT, and with a lot of the
folks who work there.  And -- as anyone who has read my papers knows --
I've sent in my share of incident and vulnerability reports.





Thread