From: jasonc at science.org (Jason Coombs)
Subject: CERT, Full Disclosure, and Security By Obscurity

Aloha Len,

I'm very glad to see your comments articulating CERT's deevolution into a
pay-for-access zero-day private news wire.

When CERT failed to publish an advisory for the Windows certificate chain
validation flaw in August, 2002 that enabled holders of SSL certificates to
issue arbitrary end entity certificates that Windows/IE would trust
automatically (thus destroying all alleged server identity authentication
value derived through certificate chains and trust in third-party PKI) it
became pretty obvious that CERT had become worse than useless.

Unfortunately, CERT still holds the information security pole position in
the minds of reporters around the world. Call major newspapers and other
media outlets in the U.S. about vulnerabilities, exploits, or incidents and
often times the technical news desk will ask "What does CERT have to say
about this?"

When CERT has nothing to say, reporters won't run stories.

The media simply do not understand that CERT has self-interests that compel
it to suppress vulnerability information. Rather than educate the public to
the reality that SSL certificate chains are meaningless for server
authentication purposes and lobby vendors to rewrite SSL client code so that
end-users can focus more on manual verification of specific public keys
known to be associated with the entities with which they exchange sensitive
information, CERT sat on their hands.

This MUST be as a result of financial dealings with vendors of PKI software
and certificates, which have become big business in spite of the fact that
certificate chains are being abused by programmers who do not understand
their proper use as a means of enabling human users to authenticate the
trustworthiness of particular public keys known to be associated with
particular entities. The only proper use of automated PKI certificate chain
verification is for verification of self-issued certificates rooted at an
organization's own root CA.

Programmers should never have coded systems that automatically verify
certificate chains based on third-party root CA certificates. This is an
extremely bad misuse of PKI, and CERT could have and should have stepped
forward to help put a stop to the practice of misplacing third-party
automated trust when evidence surfaced that the worst-case scenario was in
fact playing out in the real world.

Sun Microsystems' Java Secure Sockets Extension (JSSE) was reported recently
to be vulnerable to a similar PKI certificate chain validation flaw. Do we
see an alert from CERT? Of course not. Do we see media attention to the
subject? No. This is no coincidence -- if CERT does not speak, then neither
does the media.

This makes CERT a harmful organization. It should be dismantled.

Sincerely,

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Len Rose
Sent: Thursday, January 30, 2003 4:22 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] CERT, Full Disclosure, and Security By
Obscurity



I'm not usually allowed to have an opinion since I moderate the list
(in whatever sense that may mean for an unmoderated list) however,
I would like to say something about CERT and revisit why we created this
list.

This list was created because we saw  an ever-increasing trend to hide,
delay, distort, and totally bury security information for commercial gains,
or to protect certain priveleged entities (government, or paying customers)
from security issues.

As more and more security researchers make the crossover from research
into commercial security provider the trend increases as their customers
exert some pressure on them to stop releasing such dangerous information,
or as they see a commercial advantage to only making the information
available
to those who will pay.

Without condemning them at all, I have to point out that this often has an
effect of leaving the rest of the internet community in the dark, often at
the mercy of those who are privy to information that the average security
person, or systems team can't possibly know without lists like Full
Disclosure.

With the recent evidence that CERT informed it's paying members about the
Sapphire SQL worm before the rest of the world should now indicate that
they too are not a useful resource for timely and open security information.

As such, CERT has joined the list of special interest security entities for
whom there are other agendas that take precedence over the interests of
the internet community as a whole.

Perhaps a new cooperative effort should take the place of CERT if it can
avoid being prohibited from full disclosure by having it's funding tied
to keeping private and government interests informeed at the expense of
keeping the internet community informed of all security threats.

In the knee-jerk reactions to the events on September 11, the Pax Americana
campaigns around the globe, and now the recent march to Security By
Obscurity,
lists like Full Disclosure, and the security information it hopes to provide
may well become illegal (at least here in the US)

To summarize my opinion, I feel that security information must simply be
made available to as many people as possible as quickly as possible, and
let corporations, systems staff, and security professionals handle the
problems. "The public has a right to know.." and any comparisons to
dislosing national security technology to the full disclosure of software
and
network security problems should be totally ignored as they simply don't
apply.


(Gee, I never thought there would be such a thing as the Ivory Tower
 Security Establishment, but look, Ma.. they've all grown up..)


Len

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists