Here, in its almost full glory, is the letter that CERT sent to the admin at berkeley. I've removed the addressee, since there's no need to involve that person. I have not, however, removed the name of the sender. Don't you just love that phrase "illegal trading of commercial software"? Eric ----------------------------------------------------------------------------- To: <someone>@ucbvax.Berkeley.EDU Subject: Possible abuse of anonymous FTP area on berkeley.edu host(s) Organization: CERT Coordination Center From: cert@cert.org Date: Wed, 02 Jun 93 16:56:55 -0400 Hello <someone>, I am a member of the CERT Coordination Center. CERT provides technical assistance in response to computer security incidents. Would you please forward this report to the appropriate system administrator(s)? We have been passed information that indicates that the anonymous FTP archive on the following host(s) may be in use by intruders for illegal trading of commercial software:
> soda.berkeley.edu /pub/cypherpunks
We have not confirmed this information, nor have we identified that the anonymous FTP configuration on the above-listed host(s) is open for abuse. While anonymous FTP areas can be put to good use, the intruder community makes use of them to illegally trade commercial software and other information. Intruders often create "hidden" files or directories in order to conceal their activity. On UNIX hosts, directory and file names of a form such as "..." (dot dot dot), ".. " (dot dot space space), or "..^G" (dot dot control-G) may be used. In some cases, intruders have abused anonymous FTP areas to such an extent that file storage has been exhausted and a system crash or denial of service has resulted. We would encourage you to check your anonymous FTP archive for any such "hidden" files or directories by using the "ls -laR" command. We would appreciate feedback on the name of any software packages found at your site and the number of accesses to that software, if that information is available from your logs. Please e-mail a summary of this information to "cert@cert.org" before deleting any such files and directories from your archive. For your information, I have appended some suggestions for anonymous FTP configuration. Thanks for checking into this incident, and please don't hesitate to contact us if we can be of any assistance. Katherine T. Fithen Technical Coordinator CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet e-mail: cert@cert.org (monitored during business hours) Telephone: 412-268-7090 (answers 24 hours a day)
This thread is the first set of negative comments I've ever heard about CERT.
From: Clark Reynard <clark@metal.psu.edu> Excepting the Morris Worm, can you name a SINGLE Computer Emergency which CERT has halted? It is simply an organization to keep the crypto-fascists wired into the net.
My experience with them in the past has been as a clearinghouse for users to report security-related bugs to vendors, and for vendors to provide fixed back to users. They've done an admirable job at this; the major complaint is that they are too slow. They also help distribute tools like COPS to validate unix workstation security. They are a proactive organization, not a reactive organization, so it's meaningless to ask what "Computer Emergencies" CERT has "halted". I think that calling them "crypto-fascists" is at best an unsupported smear, and at worst slanderous.
From: peter honeyman <honey@citi.umich.edu> i am disappointed to hear these stories about cert, but encourage others with tales to tell to step forward. this is a real eye-opener.
I agree with Peter. If CERT is beginning to overstep its bounds perhaps someone should make a calm, rational complaint.
From: eichin@cygnus.com (Mark Eichin) Umm, I thought CERT was a purely commercial organization, rather than a government one... did I miss something?
from the cert_faq, available as cert.org:/pub/cert_faq: CERT is sponsored by the Advanced Research Projects Agency (ARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense. Well, it's not a Government agency, but it's money certainly seems to come from there. Anyway, what I see here is an organization, founded for good reasons, which is getting a little out of hand. Rather than going ballistic, slandering CERT, and claiming they've never done anything of value, I think we should approach this as an internal problem at CERT. Currently, there is a big problem on the Internet with randoms using anonymous dropoff points to trade commercial software illegally. CERT accepts reports of these problems. In many cases, I imagine, they are accurate, and the host admins are glad to have the CERT tell them about it. What we have here, I think, is a few malicious individuals or groups, who are using the CERT as a weapon against hapless ftp and mail sites. This problem could be easily alleviated by CERT checking up on such reports before passing them on to host or domain admins. I think Julf's example is a good one. A site not running ftp is not trading in illegal software via ftp. Period. Idea for Eric: Send a letter to the RISKS Digest <risks@csi.sri.com> and <cert@cert.org>, documenting the RISKS of a "computer security" organization becoming overzealous, and not researching problems which have been reported before sending reports to host and/or domain administrators. Include the letter you forwarded to us, and mention Julf's problem. Perhaps others will even mention similar problems. I think this will have the desired effect. Marc
"Intruder Community?" Interesting jargon these CERT people have? What kind of power do they possess or do they expect admins to go to the trouble of sending them logs of their FTP sites out of the goodness of their hearts? Wassail, Al
participants (4)
-
Al Billings
-
Eric Hughes
-
Johan Helsingius
-
Marc Horowitz