Based on what you sent out, I confess that I see nothing wrong with CERT's note.
The issues that Steve raises are 1. use of ftp sites counter to the knowledge or desires of their owners a. for one time transmission b. for illicit archive 2. distribution of software contrary to the author's desires 3. abuse leading to shutdown of archives I do not wish to quarrel with these issues. The question is not one of the ethicality of these actions, but of the relationship that CERT should have to such actions. CERT's mission is computer security, not copyright enforcement. What the letter offers is hearsay that illegal activity is taking place on a particular machine in a particular place. Such a letter might properly be construed as slander, since there was no effort made to verify the accuracy of this information and the letter even says this itself! What CERT might properly do is first, verify that an ftp site is running. Julf's case where the ftp daemon was not even enabled is a particularly egregious case in point. Next they should verify that the permissions on the directories in question are set so that world read/write access is available. They could also do a tree search of the directories and look for suspiciously named directories. All these actions can be automated; there is little excuse for making not even the most cursory check. In any case, CERT's response should be limited to issues of computer security and not law enforcement. They might properly notify an archive owner that illegal activity has been known to take place on archives configured in such a way, but to spread hearsay is irresponsible. Unfounded allegations of illegal activiy are socially dangerous, especially when promulgated by a respected institution. In the fifties in the US in a similar context this was called "red-baiting". Now if CERT receives reports about the improper distribution of software and the archive site is properly set up, one might reasonably assume collusion on behalf of the maintainers of the archive. In this case direct investigation should take place by properly authorized law enforcement authorities. CERT is not so authorized to my knowledge, and as it is funded with military money it would be a bad policy to give it a law enforcement function. The FBI is responsible for copyright enforcement in this country, and they are the proper ones to do an investigation. Eric