[10034] in Commercialization & Privatization of the Internet
If Orson Welles were only alive...
daemon@ATHENA.MIT.EDU (Barry Shein)
Sat Feb 5 02:19:45 1994
Date: Sat, 5 Feb 1994 02:19:05 -0500
From: bzs@world.std.com (Barry Shein)
To: sob@tmc.edu
Cc: karl@mcs.com, com-priv@psi.com
In-Reply-To: Stan Barber's message of Sat, 5 Feb 1994 00:55:43 -0600 <199402050655.AAA03395@tmc.edu>
>From: sob@tmc.edu (Stan Barber)
>I believe CERT has significantly added to the overall security of the
>Internet. If you believe otherwise, then consider what might be true if
>there were no CERT.
That's nice Stan, and I agree they have been generally helpful WITHIN
THE CHARTER THEY OPERATE IN, but it doesn't mean it is sufficient for
what some of us (many of us) need. That of course is not CERT's fault.
I have had crackers on-line busting into other sites, called CERT and
asked them if there is anything that should be done before blowing
them away. In one case the person had gotten into a defense contractor
who did secure work (I called them first, the guy was on to another
site already, btw that site hung up on me at the front desk but I
eventually got thru to someone by calling back and loudly reading the
riot act before they hung up, that's a good example, I don't have any
authority to even demand to speak to someone in such a situation do I?
So much for being the good samaritan, but what else to do?)
Their (CERT's) response was to inform me that I could call a
law-enforcement agency if I like but they were not chartered to do
anything more than take a description of the activity. I was kinda
hands-full and hoping I could get a little help and real-time advice
there, but clearly I'd called the wrong organization, my error, what
was the right organization to call? Do they exist? Should they?
BUT AGAIN, none of that is a criticism of CERT any more then if I
pointed out that the public library doesn't respond to house fires.
But if anyone out there like yourself thinks that CERT is more than a
data collection and distribution organization (and fairly slow about
that, note my comment that I had described the /dev/nit problem to
them last July) is either fooling themselves or doesn't need anything
more than that which is fine.
I'm just saying it's time to talk about what else is needed, I have no
intention to criticize CERT for what they do and I thank them. My
examples are only to point out what they are not chartered to do, and
what some of us out here (perhaps many of us) need badly. If you don't
feel you need anything more than what CERT provides then I envy you.
As an actual criticism of CERT I do think that the advisory being
discussed was very poorly worded and tended to induce the sort of
reaction it did unless there's a lot more going on than I know about
and I don't think so (e.g. were "tens of thousands of sites" actually
compromised, or were single accounts possibly relating back to some
number of sites compromised? There's a difference.)
>From the CERT advisory:
>Intruders have
>already captured access information for tens of thousands of systems
>across the Internet.
Just what does that mean? Unfortunately I think the media took the
broadest possible interpretation of that sentence. It could have been
nailed down better with just a modicum of effort.
-Barry Shein
Software Tool & Die | bzs@world.std.com | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
