>I have repeatedly called CERT when these "drop everything, have we got
>a bug for you" reports come out. They should know who I am (after
>repeated phone calls, and talking to their reps at conferences), and even
>if they don't, they have ways of verifying who I, and others at my site,
>are before giving out info. And they still won't do it. Should I conclude
>that (1) CERT is (justifiably?) paranoid, (2) CERT is lazy (too lazy to
>check me or anyone else out), or (3) I'm too nice to them when I call?
I'm reminded of the Western Union practice with money wires; the sender
specifies some obscure question, which is then used to vet the recipient.
(My dad used things like Mom's mother's maiden name or the name of my
hamster.) I'm also reminded of the "verification codes" local radio
stations used to verify "school's out" calls during the winter.
Why couldn't CERT have a "contact list" like this? I give CERT (via
some reasonably secure channel; we can't all do face-to-face) some
piece of obscure information or passcode. I can then use that code
to identify/verify myself when calling.
This would be a *trivial* task if the database host is secure. I see
no reason why CERT could not allow one point of contact per registered
site/domain/network/whatever. I may be managing our own Class B network
in a few months, and I *darned* well want to get in the chute early for
info like this.