lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Oct 2008 00:01:23 +0100 From: n3td3v <xploitable@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: DHS / US-CERT do we need them want them? I'm not against anyone here, just I think and most people agree DHS has been pretty pointless and ineffective in its goals. You can see they mean well, but they do it all wrong. Basically, it seemed to be a department which grouped existing or new departments together under one umbrella. I think the point was to centralise them all into one command and control coordination group called DHS. Did US-CERT do well, what do they do? They look out for vulnerability's on the mailing lists and act as a bridge between vendors and the interest of the government. If the government have an interest in say a DNS vulnerability, they will email vendors and say, you got to patch this, we are putting pressure on you to patch. Also, the federal government are rolling out DNSSEC to its domain name infrastructure. So, basically, US-CERT seems to be an oversight posture, oversighting not only their government interests, but over sighting businesses and academia, to make sure their standards are upto scratch and making sure they know what they need to know so that they can make a decision which US-CERT will end up bullying them into doing with emails and telephone calls. So I can see maybe US-CERT might have a reason to be there, to oversight the rest of us and bully us with recommendations, they force upon you if you don't take the primary polite hint at updating something. Do we need US-CERT? Do we Need DHS? The truth is, we could probably keep US-CERT, but generally they are just bullies with the security community they over sight with, and if the DHS was disbanded, then the US-CERT could still exist without the DHS umbrella, although it might be better if US-CERT and DHS just go at the same time. I agree with the idea of what they want to do, I just don't like the way in which they do it. Their approach to protecting the homeland is all wrong. US-CERT are bullies to the infosec community, we shouldn't need to feel intimidated by them, they I feel some vendors are in times like the DNS flaw when the government start demanding things. Good night. The things that US-CERT do and recommend, the vendors know about already, US-CERT are just like an annoyance alarm bell in your ear you can't get rid of when you already know what you need to know. So if US-CERT and DHS weren't around we wouldn't be less off, we would be better off without them. I'm sure they, US-CERT keep doing it to their own government departments as well, emailing and phone calling them about things they already know about. Lastly, their email alert system, it is slow, so slow at telling people about things, they it just becomes a spam alert in your inbox of old news, and that reflects what I was talking about in this email about them sending spear targeted emails and phone calls to vendors and government departments, which already have their security teams taking care of issues and don't need the over sight and bully boy annoyances that US-CERT seem to pose. The funny thing is, this isn't even personal experience im talking about, as you know im not part of the professional community, but I know what's going on because I talk to people and I read the mailing lists and get the vibe that this is what the US-CERT do in reality is bully boy people into doing things and telling them things they already know, and demand things are done. And in times of need, force people to work with each other even if they don't really want to. Maybe the forcing people to collaborate is a good thing at critical times, but you don't need a whole US-CERT for that, it just takes a couple of independant folks to do that, out there in the community when it becomes apparent when action with multi-vendors, governments is required. Do we need, DHS, no. Do we need to keep US-CERT, no because the skilled folks are already there at each government department and vendor, they are more upto speed than the DHS and US-CERT appear to be on security vulnerabilities and what needs to be done. There is no need to pump money into US-CERT which only tells people what they know already, this is the case with individual end-users, vendors and government departments, they don't see US-CERT/DHS that is needed, its just a luxury. Its like driving a bentley, when i can still get to where i want to go in a mini. The mini is smaller, more economic on fuel, nippier round the bends in the cities, while the bentley is a big heavy, fuel/money guzzler, slower but looks shinier on the outside, but infact does the same thing as the mini. So better off with the mini I say, unless you just are a show off and want to impress people on the outside, when not really offering anything new on the inside that the mini can't offer. And with the mini / bentley thing now in your head, that is basically what it comes down to and explains the situation well, why have a bentley, when all we want is a mini? Or better off get a bus or a train and don't bother with any oversight group that bullies people and offers nothing new to anyone that they didn't know already. Another rant done and done, good night. Sorry people who work for US-CERT, you are probably nice guys who mean well, but nevermind you get my point. n3td3v. Take care everybody, we as white hats should stick together, but just because I don't agree with something a white hat does doesn't make me bad. People seem to think if you're a white hat, you can't speak out about another white hat or you will be called a bad person, no I think its ok to talk about other white hats if another white hat doesn't agree with something. But people like valdis will still call me names, but he is probably a republican, so who cares. n3td3v is not a bad person im a good natured person, maybe with shit social skills but who cares about it??? We don't come great computer people by having a social life and going out places, do we? Good night. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists