....
If you asked CERT to justify such notes, they'd probably quote the following text from their press release on ftp.cert.org:
It will also serve as a focal point for the research community for identification and repair of security vulnerabilities, informal assessment of existing systems in the research community, improvement to emergency response capability, and user security awareness.
``User security awareness'' sounds about right.
.... Steve, I think CERT is off base with these notes. The problem, to my eyes, is not that they're notifying administrators of potential problems before they occur; that's all well and good, and probably easily within their charter. What I take issue with is the underhanded manner in which they seem to be doing it. According to the reports from soda and penet, the notes were not sent in response to any specific request from the sites in question, but rather on the inititate of someone at CERT itself or in response to some vague complaint from a third party. Furthermore, the notes were sent "above the heads" of the individual site adminstrators (perhaps to whoever is listed in the domain contact at the NIC), apparently causing bad feelings and misunderstanding in at least the two cases reported here. If they had sent mail to the postmasters at the individual sites saying "hey, did you know your machine has a writeable anonymous ftp directory?" that's one thing. I'd interpret that as a friendly and helpful gesture. Instead, the impression is one of, at best, unwelcome meddling, or, at worst, some kind of bizarre network-vigilantism. If they find something they don't like about one of my computers, who else are they going to send mail to? My boss? My mother? I should point out that I've delt with CERT myself a couple of years ago regarding an intruder on a machine I administered, and found them to be nothing but helpful and professional. Their assistance was, however, limited to reacting to specific problems that I asked them to help with. They never initiated any kind of audit of my site or did anything that would make me feel as if they were some kind of "net cop wannabes" who were "checking up" on my computers. I'd hate to see that image changing, because they have the potential to provide an increasingly valuable service as the internet grows. -matt