[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: CERT/AUCERT
From:       itudps <itudps () ntx ! city ! unisa ! edu ! au>
Date:       1996-12-20 9:32:05
[Download RAW message or body]

> Within the past few months, there has been a decisive trend in
> CERT/AUCERT's release of vulnerability notices.

AUSCERT, I think it is.

> A bug appears on
> BugTraq, and within hours or days, a AUCERT or CERT vulnerability
> notice appears. That is a GoodThing(tm). However. In these notices,
> CERT/AUCERT has failed to credit the authors of those exploits. Now,
> yes, it is entirely possible CERT/AUCERT has known about these holes
> for ages, and just decided not to release a vulnerability notice. Of
> course, that can't be true, because that would make them willing
> accomplices to break-ins. So, assuming that they didn't know about
> these holes, and the way too coincidental timing issue, I would have
> to say AUCERT/CERT owes a number of people an apology, at the very
> least.

I politely asked CERT about this. "Not our policy to acknolwedge", to
paraphrase the response. Then I pointed out that they *always* bend over
backwards to acknowledge computer companies and the other CERT (whichever
one is doing the announce) to the point of effusiveness at times. No reply
since, did I offend them? This really isn't a game of responsible CERTs vs
dirty crackers, its just a matter of professionals sharing valuable
knowledge. Knowledge which is significant enough to be worth a lot of
money to a lot of people, regardless of intellectual property laws.They
should be far more careful, and apply common decency besides.

It seems to me that they might have a case for not acknowledging when all
that was posted was an exploit, not a fix. However when both are posted
together it smacks of plagurism to me to repost another version of the fix
without acknowledgement. By this logic the author of the recent SGI stuff
should get a mention but SOD should not, since SOD don't (as far as I can
recollect) publish fixes as well.

In the case where there isn't one clearly defined author then probably the
forum should be acknowledged, eg maybe with a reference to the bugtraq
web archive site. This will spread knowledge of both the good and the bad,
but if xCERT want to use other people's brains they must deal
professionally with us.

--
 Dan Shearer                            email: Dan.Shearer@UniSA.edu.au
 Information Technology Unit            Phone: +61 8 302 3479
 University of South Australia          Fax  : +61 8 302 3385

[prev in list] [next in list] [prev in thread] [next in thread]