Hi
in the recent discussion on this list about disclosing the full description
of a security hole or the exploit code, Bruce Marshall and others said that:
>> As someone who is just up and getting started in the security arena, I
>> find that its an uphill climb. Its difficult to find HARD information
>> since the CERT, IBM ERS, etc. people will just talk about problems and
>> won't say what the problems are specifically.
> As I too have seen, this does normally tend to be the case. Or a
> comparable situation would be that we eventually do learn a good deal
> about a hole, but months after the 'black hat' people do. This is due to
> the perceived damage control that these organizations and individuals
> believe they are doing by preventing the further spreading of info about
> the hole. In a way their methods do work. But at the same time they rob
> honest and concerned sys admins of info they have a legitimate need for.
As the head of the Swiss Academic Network CERT, let me add that there is NO
formal "decision" to not disclosing the full description of a security hole
or the exploit code to system administrators. However, experience in the past
has shown very clearly that the 2-3 days between the publication of a security
hole by the CERTs (and a corresponding fix in most cases) and the public
availability of the exploit code give our administrators a chance to actually
review and apply those fixes. Many of our sys admins are researchers, which do
syytem or network administration on a part-time, semi-professional basis,
because they don't have ressources for full-time, professional administrators.
Not giving the exploit information or code away at first sight is our pre-
ferred way to cope with this problem. However, when a system or network ad-
ministrator from our constituency contacts us (i.e. SWITCH-CERT) concerning
exploit information, we will certainly try to give him/her any information
required to let him/her do his/her job, and that may include very early dis-
semination of exploit information, if needed. So, "CERT bashing" seems not
appropriate here. The CERTs certainly do not "rob" honest sys admins.
All the best
--HaL
--
/===========================================================================\
| Hannes P. Lubich Voice: +41 1 268 15 55 | CU-SeeMe:cuseeme.switch.ch|
| SWITCH Head Office Fax : +41 1 268 15 68 | http://www.switch.ch/ |
| Limmatquai 138 Mail : lubich @
switch .
ch \===========================+
| CH-8001 Zurich Mail : S=lubich; O=switch; P=switch; A=400net; C=ch; |
| Switzerland Phys : 47h 22' 39" N, 8h 32' 42" E, GMT + 1 |
| For my PGP public key etc : "finger lubich @
chx400 .
switch .
ch" |
| For more information, use : "finger @macHaL.switch.ch" (office hours) |
\===========================================================================/
Follow-Ups:
-
Re: Satan
From: Bruce Marshall <brucem @
wichita .
fn .
net>
|
|
