[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030130092207.M29829@netsys.com>
From: len at netsys.com (Len Rose)
Subject: CERT, Full Disclosure, and Security By Obscurity
I'm not usually allowed to have an opinion since I moderate the list
(in whatever sense that may mean for an unmoderated list) however,
I would like to say something about CERT and revisit why we created this list.
This list was created because we saw an ever-increasing trend to hide,
delay, distort, and totally bury security information for commercial gains,
or to protect certain priveleged entities (government, or paying customers)
from security issues.
As more and more security researchers make the crossover from research
into commercial security provider the trend increases as their customers
exert some pressure on them to stop releasing such dangerous information,
or as they see a commercial advantage to only making the information available
to those who will pay.
Without condemning them at all, I have to point out that this often has an
effect of leaving the rest of the internet community in the dark, often at
the mercy of those who are privy to information that the average security
person, or systems team can't possibly know without lists like Full Disclosure.
With the recent evidence that CERT informed it's paying members about the
Sapphire SQL worm before the rest of the world should now indicate that
they too are not a useful resource for timely and open security information.
As such, CERT has joined the list of special interest security entities for
whom there are other agendas that take precedence over the interests of
the internet community as a whole.
Perhaps a new cooperative effort should take the place of CERT if it can
avoid being prohibited from full disclosure by having it's funding tied
to keeping private and government interests informeed at the expense of
keeping the internet community informed of all security threats.
In the knee-jerk reactions to the events on September 11, the Pax Americana
campaigns around the globe, and now the recent march to Security By Obscurity,
lists like Full Disclosure, and the security information it hopes to provide
may well become illegal (at least here in the US)
To summarize my opinion, I feel that security information must simply be
made available to as many people as possible as quickly as possible, and
let corporations, systems staff, and security professionals handle the
problems. "The public has a right to know.." and any comparisons to
dislosing national security technology to the full disclosure of software and
network security problems should be totally ignored as they simply don't
apply.
(Gee, I never thought there would be such a thing as the Ivory Tower
Security Establishment, but look, Ma.. they've all grown up..)
Len
Powered by blists - more mailing lists