This thread is the first set of negative comments I've ever heard about CERT.
From: Clark Reynard <clark@metal.psu.edu> Excepting the Morris Worm, can you name a SINGLE Computer Emergency which CERT has halted? It is simply an organization to keep the crypto-fascists wired into the net.
My experience with them in the past has been as a clearinghouse for users to report security-related bugs to vendors, and for vendors to provide fixed back to users. They've done an admirable job at this; the major complaint is that they are too slow. They also help distribute tools like COPS to validate unix workstation security. They are a proactive organization, not a reactive organization, so it's meaningless to ask what "Computer Emergencies" CERT has "halted". I think that calling them "crypto-fascists" is at best an unsupported smear, and at worst slanderous.
From: peter honeyman <honey@citi.umich.edu> i am disappointed to hear these stories about cert, but encourage others with tales to tell to step forward. this is a real eye-opener.
I agree with Peter. If CERT is beginning to overstep its bounds perhaps someone should make a calm, rational complaint.
From: eichin@cygnus.com (Mark Eichin) Umm, I thought CERT was a purely commercial organization, rather than a government one... did I miss something?
from the cert_faq, available as cert.org:/pub/cert_faq: CERT is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense. Well, it's not a Government agency, but it's money certainly seems to come from there. Anyway, what I see here is an organization, founded for good reasons, which is getting a little out of hand. Rather than going ballistic, slandering CERT, and claiming they've never done anything of value, I think we should approach this as an internal problem at CERT. Currently, there is a big problem on the Internet with randoms using anonymous dropoff points to trade commercial software illegally. CERT accepts reports of these problems. In many cases, I imagine, they are accurate, and the host admins are glad to have the CERT tell them about it. What we have here, I think, is a few malicious individuals or groups, who are using the CERT as a weapon against hapless ftp and mail sites. This problem could be easily alleviated by CERT checking up on such reports before passing them on to host or domain admins. I think Julf's example is a good one. A site not running ftp is not trading in illegal software via ftp. Period. Idea for Eric: Send a letter to the RISKS Digest <risks@csi.sri.com> and <cert@cert.org>, documenting the RISKS of a "computer security" organization becoming overzealous, and not researching problems which have been reported before sending reports to host and/or domain administrators. Include the letter you forwarded to us, and mention Julf's problem. Perhaps others will even mention similar problems. I think this will have the desired effect. Marc