Dear Moira, I was somewhat disturbed to note the recent actions of CERT with regard to Johan Helsingius' site anon.penet.fi; and with regard to the cypherpunks' archive at soda.berkeley.edu. I read a clarification of your position which appeared to regret any inconvenience these actions and others may have caused, it still seemed that you do not intend to exercise any more caution in the phrasing of your message. While the message disclaims that you have verified the information included in it, it still bears the phrasing of an accusation, not an advisory. While it is certainly laudable to bring potential security problems to the attention of system administrators and users, the method in which this was done, and those to whom you mentioned it, cause me serious doubts as to the effectiveness of your actions. In the first case, that of Johann Helsingius, you did not notify the system administrator but the domain manager for all Finland. Not only is the domain manager in no position to patch potential security holes in a local system, but additionally he probably has more important tasks than checking out false reports. Allegations were made by an unnamed officer of CERT that the site was illegally distributing software by anonymous ftp; whereas, even the most rudimentary efforts at verification would have revealed that the site in question does not operate anonymous ftp. It is neither sensible nor equitable to contact a domain administrator without even contacting the administrator of the questionable system; especially the domain administrator of an entire sovereign nation. Certainly, if CERT can not even bother to take the time of even a preliminary verification of their reports before announcing them, certainly it seems to be an imposition to demand that the domain administrator of an entire country spend time investigating spurious reports. If there is suspicion that a particular machine has been compromised, and is thus an insecure method of contacting the administrator, perhaps contacting the administrator by postal mail or by telephone would be more sensible than contacting the administrator of all the machines in Finland. Certainly if the machine itself is compromised, it is quite possible that the entire domain is also compromised, and email may be insecure and easily available to hostile third parties. With the additional implication in the ominous form letter you mail that the person responsible for the machine may be involved in illegal activities, the potential for abuse of CERT by people filing false reports is, though perhaps not in itself a "computer emergency," is certainly something which you ought to consider in your standard procedures. As sites which use TCP/IP without providing for authentication are considered security holes, so is a Computer Emergency Response Team which does the same thing, that is, simply relays accusations without any authentication of their veracity. Considering the possible damage to the reputations of persons not involved in illegal activity, and the disruption of services which results when such accusations are made, actions of this sort are retrogressive and represent as significant a threat to the systems as would a 'denial of service' attack. Please be more careful in the future when relaying such messages. ---- Robert W. F. Clark rclark@nyx.cs.du.edu