Brad Huntting <huntting@glarp.com> wrote:
Anyone have any more information about how much CERT spends annually, and where it comes from? Or should we just assume it is the NSA?
The main gripe most people have about CERT is that they are way slow. Could it be that they systematically inform some parties before others, and that it just so happens that the public at large is the last to know and the US intelegence community is the first?
From alt.security:
---------- Forwarded message begins here ---------- From: Paul <PAUL@TDR.COM> Newsgroups: tdr.general,digex.general,alt.security,comp.security.misc Subject: New List on Computer/Telephone Problems/Bugs/Viruses/Dangers Date: Sun, 20 Feb 1994 01:05:00 -0500 (EST) Organization: Tansin A. Darcos & Company, Silver Spring MD Lines: 72 Message-ID: <9402200105.PAUL@TDR.COM> NNTP-Posting-Host: access2.digex.net Followups-To: tdr.general Xref: bb3.andrew.cmu.edu alt.security:5909 comp.security.misc:5565 This is to announce the creation of a list and newsgroup for the public disclosure of bugs, system problems, viruses, and any other conditions in a computer system that people should be aware of so they can fix the problem. It is also appropriate to report security holes, dangerous conditions in PBXs, cellular and wire telephone systems, and other computer-controlled devices. Also reports of things such as default accounts and passwords on systems that should be changed, etc. The focus will be on reporting clear descriptions of problems including how to generate them. The idea being that this will alert people to the nature of certain problems that they might be unaware of. Reproducing these conditions lets others know what is being done, and can allow people to post solutions on how to block them. The purpose in creating this outlet is that currently, the only means currently available for reporting discovered security holes in computer systems and possibly other areas is via the Computer Emergency Research Team (CERT) out of Carnegie Mellon University. The problem with CERT reporting is that the reports generally tend to be done in secrecy, and it fails to let system administrators and others know about what is happening so that these things can be fixed. In short, CERT acts like a black hole and takes too long to publicize problems until lots of places get hit because they didn't know about it. Some people feel that reports should not be publicized because potential reports might become available to "the bad guys." Well, the truth of the matter is that "the bad guys" trade their discoveries around all the time; the current use of secrecy is only hurting "the good guys" who want to protect their systems. There will be two addresses. The general list will be PROBLEMS@TDR.COM which is used to post a report to the list. Postings may also be made by facsimile to +1 301 492 7617 to the attention of Paul Robinson, or by telex to USA telex number 6505066432; the answerback is '6505066432MCI UW'. If your site receives all or most newsgroups, the list is echoed to the group tdr.problems. If you do not receive that hierachy (or prefer to receive it as mail), you can subscribe. To subscribe to the list, or to post a report to me that you do not wish to be publicly identified as the sender, use PROBLEMS-REQUEST@TDR.COM Currently, both addresses are moderated. This may change as I upgrade the software on my system. Persons wishing to make a report but not be identified should send the message to me at PROBLEMS-REQUEST and state so in the text of their message. Persons wanting to receive this service by facsimile should contact me for details. All messages requesting subscriptions or posting information will be acknowledged. Please pass this announcement around. It is my intent to set this up such that people can publicly report known bugs, viruses and problems in clear detail so everyone knows about them and can encourage much faster response to these problems than is currently available. It may even embarass some manufacturers into making fixes sooner when their errors are glaringly exposed in public. --- Paul Robinson - Paul@TDR.COM ----- The following Automatic Fortune Cookie was selected only for this message: Never call a man a fool; borrow from him.