steve, like eric, i feel that cert is overstepping their charter by engaging in law enforcement activities. what's your feeling on the matter? don't you agree that this could jeopardize their ability to do the work they are chartered to do? Law enforcement? It's law enforcement if they do more than notify the owner of the site. Most such sites welcome the notifications *if* (and it's a big ``if'') their machines are being abused by outsiders. If CERT is going out and looking for pirated software, or if they try to take any action to enforce their notes -- then, I do agree with both of you; such actions are beyond their charter. (Though one can argue that clandestine distribution of malware would fall be an exception. I specify ``clandestine'' because one could entertain a reasonable suspicion that the motives of such distributors was not purely educational...) If you asked CERT to justify such notes, they'd probably quote the following text from their press release on ftp.cert.org: It will also serve as a focal point for the research community for identification and repair of security vulnerabilities, informal assessment of existing systems in the research community, improvement to emergency response capability, and user security awareness. ``User security awareness'' sounds about right. Look -- CERT did not demand that the ftp area be shut down, they did not threaten to cut the machine off from the Internet, they didn't (as far as I know) turn the note over to the FBI or the Secret Service, and they didn't mention PGP or ``dirty GIFs''. They simply *informed* the administrator, in a polite way, of information that that administrator probably wants to hear. (I've had occasion to notify various system administrators of the same sort of thing. They were all grateful for the report.) The overly-hasty response came from Eric's end. What the administrator's response should be if RSADSI sent a note about PGP is another matter. This is CERT, and they're talking about pirated software. --Steve Bellovin Disclaimer: I'm on friendly terms with CERT, and with a lot of the folks who work there. And -- as anyone who has read my papers knows -- I've sent in my share of incident and vulnerability reports.