Brent Chapman says:
> pmetzger @
com (Perry E. Metzger) writes:
> # [He continues in this vein, but eventually, our hero gives up,
> # realizing that CERT is part of the problem, not the solution. All
> # they've succeeded in doing is keeping him up at night. He can't fix
> # his problem, since he doesn't know how. He has no idea if he has a
> # problem. He can't check once he's done something to determine if he's
> # fixed it. All he knows is that CERT has no proceedure for telling him
> # anything regardless of who he is, period.]
> No, Perry, they may not part of YOUR solution for THIS particular
> problem, but CERT definitely provides an invaluable service.
> Consider this: without the recent CERT advisory, would you have even
> guessed that you _might_ have a problem?
Yes. In the days before CERT, these problems, with detailed solutions,
were passed around on the unix security mailing lists. We didn't
believe in "security through obscurity" back then -- people would tell
each other exactly what was wrong and you had a chance to fix things.
CERT, by being there, has effectively caused those lists to die, and
has acted to make the situation more, not less dangerous. The question
is not one of "do you want to be alerted or not" but of "what sort of
mechanism would you like to be alerted with". Being treated as a peer
might be nice.
I know there is a fundamental conflict between letting everyone know
and not wanting to let the bad guys know, but when someone who has
literally billions riding on the answers cant get answers something is
For all the help they gave me, CERT might as well have said "There is
a problem in Unix. Please have it fixed." I got no worthwhile
information out of them. I don't know if this problem is only with my
firewall or with the inside machines. I don't know if it requires a
TCP connection. I don't know if disabling the prog mailer can fix it.
I don't know how to test for it. I'd say that this is inferior to the
way things used to work.
> What you're saying is, in effect, "If they won't tell me all the
> details, I'd rather they'd never told me about the possible problem in
> the first place". Do you _really_ mean that? I hope not.
Not what I meant, and not what we would have been dealing with.