I've been watching the recent threads over this mail-list with
great amusement.
Those unsatisfied with the services provided by CERT are certainly
understandable, and I would suggest you contact them immediately
and ask for a full refund.
Seriously though, CERT is often the butt of many a joke in the
so-called "computer underground" for their lack of substantive
information and the incredible lag in the dissemination of
any information about newly discovered bugs to those who are
in potential jeopardy. Whenever a bug begins to propogate
around the community everyone knows its a matter of a few
months (perhaps longer) before CERT sticks out an advisory
about them, and once this has been done, everyone scrambles to
make sense of the vague descriptions they provide.
CERT has discovered a vulnerability in certain versions of the
UNIX operating system in which users can get root privs with
use of the su command....
I personally feel that such vague descriptions accomplish more
hamr than good. I am of the mindset that these problems should
be spread freely, providing EVERYONE with the ability to innoculate
themselves rather than hope that someone takes pity upon
them and lets them in on the bug.
The argument that such information shouldn't be openly
discussed because "bad guys" might get it is just plain
stupid. Guess what folks, they (we) already have it. Its
been that way as long as I can remember. ISIS, Zardoz, CORE
and a score of others all were spread around the underground
as soon as they came out. The secrecy of these lists a
farce, as the information was being kept from system administrators
but was readily available from you friendly neighborhood
hacker. Now it would seem that those in the know keep
the status quo and still hold fast to the belief that by
restricting the information, they are indeed helping the
situation.
I can tell you from first hand experience (on both sides of the
computer security fence) such tactics will be your undoing.
Until all persons tasked with the operation of computer systems
are given the tools they need to protect their company's investments
(regardless of whether or not they are a member of the computer security
good-old boy network) everyone will suffer.
Just because one host admin is particularly clever, and has solved
the problem of dealing with the latest bug, until every host
has solved the same problem, who is to say that exploiting it
on a foreign system will not ultimately lead to capturing
information that would compromise all other systems?
It strikes me as ironic that several persons on this list have
noted (although probably only jokingly) that if they wanted to get
a straight answer they would have to resort to reading 2600.
In many cases, publications like 2600 and Phrack (which I edit)
do spread precisely this kind of forbidden knowledge.
I personally feel that if the knowledge of the problem is in
more hands than those of a priviledged elite there is a greater
possibility of correcting the situation.
You may argue that "the bad guys" will get the information first, and
byproviding them with such information I am a terrible person.
Perhaps I am, but why aren't YOU taking advantage of all your
resources to protect your company's investment?
CERT is not the only source of information. There are mailing lists
newsgroups, and many other forums to obtain information that can
assist you in your oftimes frustrating jobs as sysadmins.
And if you really want to start a change for the better,
adjust your thinking patterns and begin to TALK to one another
rather than hide behind a cloud of paranoia about who may be
listening.
->ME
Follow-Ups:
|
|
