"Perry E. Metzger" <pmetzger @
# Brent Chapman says:
# > No, Perry, they may not part of YOUR solution for THIS particular
# > problem, but CERT definitely provides an invaluable service.
# > Consider this: without the recent CERT advisory, would you have even
# > guessed that you _might_ have a problem?
# Yes. In the days before CERT, these problems, with detailed solutions,
# were passed around on the unix security mailing lists. We didn't
# believe in "security through obscurity" back then -- people would tell
# each other exactly what was wrong and you had a chance to fix things.
# CERT, by being there, has effectively caused those lists to die, and
# has acted to make the situation more, not less dangerous. The question
# is not one of "do you want to be alerted or not" but of "what sort of
# mechanism would you like to be alerted with". Being treated as a peer
# might be nice.
I don't know you. Why should I treat you as a peer?
As far as _I_ know, all you've done is throw your weight about how
much money your company has and how important that makes you.
The lists functioned the way they did "in the old days" because most
of the people on the lists knew each other. Everybody didn't know
everybody, but any given person on such a list probably knew a
significant fraction of the other people on the list.
That's just not the way it is any more. I probably know more people
on the Firewalls list than just about anybody else (maybe Ches or
Marcus know more than I do), and yet I don't know more than 5% or so.
# I know there is a fundamental conflict between letting everyone know
# and not wanting to let the bad guys know, but when someone who has
# literally billions riding on the answers cant get answers something is
# fundamentally wrong.
Have you stopped to consider that maybe what's wrong is that your
site, with your security concerns, shouldn't be on the Internet in the
first place? You've apparently got this rose-colored image of how
things "used to be", and how things "ought to be", that just doesn't
# For all the help they gave me, CERT might as well have said "There is
# a problem in Unix. Please have it fixed." I got no worthwhile
# information out of them. I don't know if this problem is only with my
# firewall or with the inside machines. I don't know if it requires a
# TCP connection. I don't know if disabling the prog mailer can fix it.
# I don't know how to test for it. I'd say that this is inferior to the
# way things used to work.
And I'd say there's no way "the way things used to work" will function
any more in today's Internet, because of the explosive growth the
Internet has undergone in the last few years.
# > What you're saying is, in effect, "If they won't tell me all the
# > details, I'd rather they'd never told me about the possible problem in
# > the first place". Do you _really_ mean that? I hope not.
# Not what I meant, and not what we would have been dealing with.
"WOULD HAVE BEEN"... Quit living in the past, Perry; the world ain't
the same as it used to be.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041