edu (Wes Morgan) writes:
# >I have repeatedly called CERT when these "drop everything, have we got
# >a bug for you" reports come out. They should know who I am (after
# >repeated phone calls, and talking to their reps at conferences), and even
# >if they don't, they have ways of verifying who I, and others at my site,
# >are before giving out info. And they still won't do it. Should I conclude
# >that (1) CERT is (justifiably?) paranoid, (2) CERT is lazy (too lazy to
# >check me or anyone else out), or (3) I'm too nice to them when I call?
# I'm reminded of the Western Union practice with money wires; the sender
# specifies some obscure question, which is then used to vet the recipient.
# (My dad used things like Mom's mother's maiden name or the name of my
# hamster.) I'm also reminded of the "verification codes" local radio
# stations used to verify "school's out" calls during the winter.
A lot of people in this discussion are confusing authentication with
authorization. Assume CERT could verify exactly who you are, that
you're Joe Blow Sysadmin at some Fortune 10 company; that's a
solvable problem, through a variety of methods.
Even if they know exactly who you are, though, why should they release
sensitive information to you?
You might be Joe Blow Sysadmin by day, but how do they know you're not
Joe the Cracker at night? Are you assuming that none of the folks
perpetrating all these breakins have "real jobs"? I wouldn't take
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041