From: Marc Horowitz <marc@GZA.COM>
To: Eric Hughes <hughes@soda.berkeley.edu>
Message Hash: fb96f42090e167c5a032e94ba702810541ff8d6921d0d8b7adddf66ff3c98d75
Message ID: <9306081705.AA13681@dun-dun-noodles.aktis.com>
Reply To: <9306081620.AA07331@soda.berkeley.edu>
UTC Datetime: 1993-06-08 17:05:32 UTC
Raw Date: Tue, 8 Jun 93 10:05:32 PDT
From: Marc Horowitz <marc@GZA.COM>
Date: Tue, 8 Jun 93 10:05:32 PDT
To: Eric Hughes <hughes@soda.berkeley.edu>
Subject: Re: CERT: the letter from CERT to berkeley.edu admin
In-Reply-To: <9306081620.AA07331@soda.berkeley.edu>
Message-ID: <9306081705.AA13681@dun-dun-noodles.aktis.com>
MIME-Version: 1.0
Content-Type: text/plain
This thread is the first set of negative comments I've ever heard
about CERT.
>>> From: Clark Reynard <clark@metal.psu.edu>
>> Excepting the Morris Worm, can you name a SINGLE Computer Emergency
>> which CERT has halted? It is simply an organization to keep the
>> crypto-fascists wired into the net.
My experience with them in the past has been as a clearinghouse for
users to report security-related bugs to vendors, and for vendors to
provide fixed back to users. They've done an admirable job at this;
the major complaint is that they are too slow. They also help
distribute tools like COPS to validate unix workstation security.
They are a proactive organization, not a reactive organization, so
it's meaningless to ask what "Computer Emergencies" CERT has "halted".
I think that calling them "crypto-fascists" is at best an unsupported
smear, and at worst slanderous.
>>> From: peter honeyman <honey@citi.umich.edu>
>> i am disappointed to hear these stories about cert, but encourage others
>> with tales to tell to step forward. this is a real eye-opener.
I agree with Peter. If CERT is beginning to overstep its bounds
perhaps someone should make a calm, rational complaint.
>> > From: eichin@cygnus.com (Mark Eichin)
>> Umm, I thought CERT was a purely commercial organization, rather than
>> a government one... did I miss something?
from the cert_faq, available as cert.org:/pub/cert_faq:
CERT is sponsored by the Advanced Research Projects Agency (ARPA). The
Software Engineering Institute is sponsored by the U.S. Department of
Defense.
Well, it's not a Government agency, but it's money certainly seems to
come from there.
Anyway, what I see here is an organization, founded for good reasons,
which is getting a little out of hand. Rather than going ballistic,
slandering CERT, and claiming they've never done anything of value, I
think we should approach this as an internal problem at CERT.
Currently, there is a big problem on the Internet with randoms using
anonymous dropoff points to trade commercial software illegally. CERT
accepts reports of these problems. In many cases, I imagine, they are
accurate, and the host admins are glad to have the CERT tell them
about it. What we have here, I think, is a few malicious individuals
or groups, who are using the CERT as a weapon against hapless ftp and
mail sites. This problem could be easily alleviated by CERT checking
up on such reports before passing them on to host or domain admins. I
think Julf's example is a good one. A site not running ftp is not
trading in illegal software via ftp. Period.
Idea for Eric: Send a letter to the RISKS Digest <risks@csi.sri.com>
and <cert@cert.org>, documenting the RISKS of a "computer security"
organization becoming overzealous, and not researching problems which
have been reported before sending reports to host and/or domain
administrators. Include the letter you forwarded to us, and mention
Julf's problem. Perhaps others will even mention similar problems. I
think this will have the desired effect.
Marc
Return to June 1993
Return to “Marc Horowitz <marc@GZA.COM>”