[10030] in Commercialization & Privatization of the Internet
If Orson Welles were only alive...
daemon@ATHENA.MIT.EDU (Barry Shein)
Sat Feb 5 01:38:13 1994
Date: Sat, 5 Feb 1994 01:37:32 -0500
From: bzs@world.std.com (Barry Shein)
To: karl@mcs.com
Cc: com-priv@psi.com
In-Reply-To: Karl Denninger's message of Sat, 5 Feb 1994 00:21:58 -0600 (CST) <m0pSgP0-000BbfC@mercury.mcs.com>
>From: karl@mcs.com (Karl Denninger)
>2) Form a mailing list of <real> admins to discuss issues, including
> break-ins in process.
This is a good idea. I agree that CERT is not the appropriate venue
for actual security problems other than copying them a summary note
from time to time. I've asked them direct questions about security
problems I was aware of (or they alluded to in an advisory), they know
who I am, and found that they cannot generally respond to such matters
as a policy. At least once I had a problem that could have been
avoided by a simple and direct answer which they had in their
possession (i.e. I privately found another site which had the same
problem, had discovered the cause, and had previously reported it to
CERT.)
Not particularly a criticism of CERT, just pointing out that their
role is closer to journalism than police/investigatory work and there
are more than a few of us out here who need something more like the
latter.
The upshot is that the bad guys are sharing notes and hints. The good
guys need to also. Enough with these furtive calls in the night from
some site admin I happen to know asking if I ever heard of this or
that security problem s/he heard on the grapevine and is there any way
to close it up.
I am familiar with the problem alluded to in the CERT advisory
regarding /dev/nit and trapping telnet etc. I informed CERT of the MO
involved on July 10th, 1993, 7 months ago. So what happened in the
interim? Not much, other then "tens of thousands" of sites got cracked.
Again, not CERT's fault per se, they can only do what they are
chartered to do, but the current state of affairs is a travesty for
the rest of us.
-Barry Shein
Software Tool & Die | bzs@world.std.com | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
