Brent Chapman says:
> "Perry E. Metzger" <pmetzger @
> # CERT, by being there, has effectively caused those lists to die, and
> # has acted to make the situation more, not less dangerous. The question
> # is not one of "do you want to be alerted or not" but of "what sort of
> # mechanism would you like to be alerted with". Being treated as a peer
> # might be nice.
> I don't know you. Why should I treat you as a peer?
> As far as _I_ know, all you've done is throw your weight about how
> much money your company has and how important that makes you.
Resources are easily available to verify credentials. I can very
easily prove that I am who I say I am, and that my company is who they
say they are. You can prove it, too. Its not hard. If you want to
further make sure that I'm not someone impersonating Perry Metzger,
you can call up Information in NYC, get the number for American
Express's corporate headquarters (we are a division of Amex -- there
may be a seperate listing for us, but the same switchboard is used so
it makes no difference), and ask them for me.
> The lists functioned the way they did "in the old days" because most
> of the people on the lists knew each other. Everybody didn't know
> everybody, but any given person on such a list probably knew a
> significant fraction of the other people on the list.
> That's just not the way it is any more.
Fine. If we are going to replace the Old Way with the "New Way" thats
supposedly an improvement, CERT could go through the trouble of making
sure that people who need the information can get it. If that is not
the case, they can give you enough information that you could make
some minor judgements -- telling us if the vulnerability will hurt
machines inside a firewall isn't going to help crackers but it will
help the good guys. They won't even say that much. Frankly, I almost
wish that they posted full information -- I'd rather have to rush than
to spend three days not knowing what to do. I still don't know what to
do, and believe me I've tried.
> # I know there is a fundamental conflict between letting everyone know
> # and not wanting to let the bad guys know, but when someone who has
> # literally billions riding on the answers cant get answers something is
> # fundamentally wrong.
> Have you stopped to consider that maybe what's wrong is that your
> site, with your security concerns, shouldn't be on the Internet in the
> first place?
Yes, we have to be on the internet. We have developers who need to get
support from vendors. We have developers who need new versions of
tools or their productivity is going to be shot. Etc, etc. We aren't
the only firm on Wall Street thats made this decision -- Goldman
Sachs, a firm that literally moves the market when they trade in
foreign exchange or the oil markets, is on the net, as is Solomon(sp?
I'm tired) Brothers, Morgan Stanley, etc. We also deliver information
to several of our clients, who I cannot name, over private internet
connections to them, and they are on the net. Not being on the net is
like not owning a phone these days. You can't do it. Hell, we are
upgrading to a T1 soon because of our traffic levels.
We are also large enough that we have internal security concerns. We
operate on three continents in lots and lots of cities. We are almost
big enough to have to worry about internal attacks and internal
firewalls -- but I suppose you will tell me to shut of my internal
internet. Without our internal internet, of course, we could no longer
function for an hour.