Dan Farmer wrote:
> IMO, the current situation is rediculous, even from a vendor
> standpoint. CERT will *NOT* give sun (or anyone else, as far as I know,
> and I have asked for stuff repeatedly, unless they've recently changed
> their stance on this issue) information on bugs unless they are certain
> that they know that it affects a sun. That's rediculous -- *most* unix
> bugs affect more than one OS. The BSD people didn't know if sendmail
> was fucked by the latest bug until I sent it to eric allman this
> morning. Why didn't CERT do this? I'll be sending it to HP soon (as
> soon as I figure out who the bug person is over there) -- why do I have
> to do this? Has CERT talked to any other vendors about this? Why
> didn't CERT tell us/me about the convex login bug, or the HP NIS bug, or
> any of the other unix security bugs that they've had advisories out on
> recently? They certainly don't know as much about sunos than we do, but
> they set themeselves up as information czars that won't hand anything
> out unless *they* deem it proper.
The last sentence is identical to my complaint.
I have repeatedly called CERT when these "drop everything, have we got
a bug for you" reports come out. They should know who I am (after
repeated phone calls, and talking to their reps at conferences), and even
if they don't, they have ways of verifying who I, and others at my site,
are before giving out info. And they still won't do it. Should I conclude
that (1) CERT is (justifiably?) paranoid, (2) CERT is lazy (too lazy to
check me or anyone else out), or (3) I'm too nice to them when I call?