[10047] in Commercialization & Privatization of the Internet
Concerning CERT
daemon@ATHENA.MIT.EDU (Barry Shein)
Sat Feb 5 03:43:13 1994
Date: Sat, 5 Feb 1994 03:41:25 -0500
From: bzs@world.std.com (Barry Shein)
To: sob@tmc.edu
Cc: karl@mcs.com, com-priv@psi.com
In-Reply-To: Stan Barber's message of Sat, 5 Feb 1994 02:07:53 -0600 <199402050807.CAA03722@tmc.edu>
>From: sob@tmc.edu (Stan Barber)
>It certainly means that CERT does not meet the needs as you define
>them from your point of view.
Exactly my point.
>Perhaps IETF or some group should set up
>a set of parameters for a group to meet your criteria.
I think it has to start more formally and more immediately, IETF can
always study practice and make some conclusions.
>I believe that there is great strenght in working together and perhaps a role
>for User Groups (like SUG) or professional organizations (like USENIX) would
>be to provide that mechanism.
Actually, I don't.
A) You are dealing at least some of the time with real, bona-fide
criminals regarding these matters. I have helped get one person thrown
in jail (along with Bank of Italy and some other orgs) resulting from
similar behavior (and thousands of dollars in credit card and calling
card fraud, wire fraud, etc.) Read Cliff Stoll's book for other
examples.
User groups have no place dealing with criminal activities or
appearing to be an answer.
Closing up holes etc is only half the story. Security break-ins such
as these are being caused by someone. Who are they? How do we find
them and stop them? How do we get the message out that this is not a
joke, that you can get in a lot of trouble for this sort of thing, and
that you will get caught?
Look, I have glass windows in my house. Any idiot can throw a rock
thru one and cause damage. I don't know that the only societal
response ought to be to point out that I might have bricked up the
windows.
B) User groups are in no way bonded or able to take on the potential
responsibility of an error or omission in such matters. If some
volunteer User group's feeble attempt to organize something like this
resulted in some organization suffering real harm where would that
leave them?
C) User groups generally have a basic, completely non-technical office
staff who handles memberships, mailing lists, newsletters, conferences
etc. How are they set up to begin to manage a huge, daily and detailed
problem such as internet security? Through technically-able
volunteers? I don't think so.
Anyhow, I think the idea is not feasible. It might be useful to
discuss security issues within the purview of a User Group, share
stories, present papers etc. But none of that is timely nor is it an
attempt to take responsibility for ongoing problems such as we are
discussing.
Just the criminal aspect should dissuade anyone of the idea.
-Barry Shein
Software Tool & Die | bzs@world.std.com | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
