This thread is the first set of negative comments I've ever heard about CERT.
From: Clark Reynard
Excepting the Morris Worm, can you name a SINGLE Computer Emergency which CERT has halted? It is simply an organization to keep the crypto-fascists wired into the net.
My experience with them in the past has been as a clearinghouse for users to report security-related bugs to vendors, and for vendors to provide fixed back to users. They've done an admirable job at this; the major complaint is that they are too slow. They also help distribute tools like COPS to validate unix workstation security. They are a proactive organization, not a reactive organization, so it's meaningless to ask what "Computer Emergencies" CERT has "halted". I think that calling them "crypto-fascists" is at best an unsupported smear, and at worst slanderous.
From: peter honeyman
i am disappointed to hear these stories about cert, but encourage others with tales to tell to step forward. this is a real eye-opener.
I agree with Peter. If CERT is beginning to overstep its bounds perhaps someone should make a calm, rational complaint.
From: eichin@cygnus.com (Mark Eichin) Umm, I thought CERT was a purely commercial organization, rather than a government one... did I miss something?
from the cert_faq, available as cert.org:/pub/cert_faq:
CERT is sponsored by the Advanced Research Projects Agency (ARPA). The
Software Engineering Institute is sponsored by the U.S. Department of
Defense.
Well, it's not a Government agency, but it's money certainly seems to
come from there.
Anyway, what I see here is an organization, founded for good reasons,
which is getting a little out of hand. Rather than going ballistic,
slandering CERT, and claiming they've never done anything of value, I
think we should approach this as an internal problem at CERT.
Currently, there is a big problem on the Internet with randoms using
anonymous dropoff points to trade commercial software illegally. CERT
accepts reports of these problems. In many cases, I imagine, they are
accurate, and the host admins are glad to have the CERT tell them
about it. What we have here, I think, is a few malicious individuals
or groups, who are using the CERT as a weapon against hapless ftp and
mail sites. This problem could be easily alleviated by CERT checking
up on such reports before passing them on to host or domain admins. I
think Julf's example is a good one. A site not running ftp is not
trading in illegal software via ftp. Period.
Idea for Eric: Send a letter to the RISKS Digest