> Now, because of the CERT announcement, at least you know there _may_
> be a problem with your configuration, and you can work on finding out
> more information about the problem and finding a solution.
How, when CERT, and everyone involved, is refusing to talk? How do you
suggest we find out more information, when we meet nothing but roadblocks?
I'm on Perry's side with this one. The CERT announcement did nothing
except alert any crackers who might have been on vacation in Bolivia that
there's a neat security hole, and they should contact their pals in the US
for details. The CERT announcement AS IT WAS RELEASED did that, and extra
information would not have sped up their access to details a bit - their
friends already knew the details. (Of course, crackers who weren't in
Bolivia knew the details already.)
I was preparing a flame about how CERT was valuable to no one except the
members of CERT themselves, and vendors, who got CERT's help in concealing
news of security problems from their _customers_ until fixes were
available. Not crackers, customers. The vendors seem to be less concerned
about their customers being broken into, than they are about customers
finding out about unpatched holes. But with Dan Farmer's comments about
the CERT attitude toward vendors, I'm beginning to wonder who CERT helps at
Speaking as someone who's been indirectly responsible for one CERT
advisory, I'm going to do in the future what I've done in the past - post
details of security problems to alt.security. I don't see any other way to
get information to the people who need it.
Tom Fitzgerald Wang Labs, Lowell MA, USA fitz @