If memory serves me correctly, a similar thread carried it's way across
this list in the not too distant past. As a rule, I like to remain silent
on these issues; however I'm feeling pretty verbose today so excuse me
while I expound on CERT, issues of credit and some personal observations
on FIRST.
SNI (the company for which I work) has a fair amount of experiance with
bug reports, advisories etc. In the course of our own advisory writing we
have learned a few things which I would like to impart to the rest you.
First, people need to understand FIRST organizations (perhaps CERT in
particular). FIRST organizations are by and large Incident Response based,
pay some attention to this. Their primary role is to respond to
constituents, provide them with support for break-ins, and on occasion
notify them of currently abused software packages.
Most FIRST organizations in the non-profit arena at least, are woefully if
not wholly incapable of pro-active vulnerability assesment. There are a
number of reasons for this. Primarily, their work load is stupefying in
some cases, and most if not all of the non-profit FIRST groups are
seriously understaffed. Please, note that this is not my attempt at being
an apologist for FIRST (CERT in particular) I am simply stating some
realities as I have seen them.
The problem lies in the fact that organizations such as CERT have yet to
come public and let the world know precisely what their capabilties are.
They are *not* in most cases capable (for above mentioned reasons, and
others) of doing vulnerability assesment. If you are interested in getting
bugs fixed, go to the vendor, go fix it yourself or go public. Sending
your bugs to CERT is pretty unsatisfying in most cases.
While I am on this topic, let me dispell another myth. CERT and other
IRT's have no more authority or pull than you as a user do with vendors.
They get stonewalled and brushed off just like the rest of us. This is
another thing they should be straight forward about. FIRST teams do not
have a a magic contact at vendors which will see the bugs you send them
fixed. To emphasize this, let me share a quote I recently heard from a
vendor contact at the FIRST symposium in Bristol.
Vendor contact: "Company X is a multi-billion dollar company, do you
really think they are going to spin on a dime to fix a bug for you?".
He continued to expound on the values of Bugtraq, and how he appreciates
seeing bugs posted as it helps him save time having engineers research
problems sent to him. Another issue, perhaps one more serious, is that
most vendor security contacts whom you send mail to, have very little
authority inside of their organization. They are in the uncomfortable
situation of being the contact point for bugs, which they may very well
like to see fixed, but have no authority to issue fixes for. Vendors are
complicated money driven creatures. Never make the mistake of assuming
they are benevolent in their dealings with you. Their bottom line is
profit. Until security starts taking a bite out of their profit margins,
security is going to continue to be neglected.
FIRST groups simply cannot change vendor attitudes like this; however we
as a purchasing public can. Free alternatives exist, use them. Purchase
decisions fall inside the control of many people here, excercise it. Let
vendors know you take security as a priority and that it affects your
purchasing decisions.
Now having said this, I will address CERT's serious and habitual
prediliction for not giving credit etc. I think it's pretty dismal that
they continue to do this. Seeing as they are housed at CMU, I wonder if a
CMU academic honesty committee has any authority over them. Last time I
checked, lack of credit and plagiarism are still serious offenses in the
acedemic community.
In closing let me state, that while some FIRST groups behave less than
perfectly, and some vendors are borderline negligent in their behaviour,
not all vendors or FIRST groups fall into this catagory. We tend to
criticize but not compliment the vendors and FIRST groups. SNI has had
*very* good experiences dealing with Sun (post Mark Graff era),
HP, BSDI, the Apache developers, Stonghold, OpenBSD, FreeBSD as well some
indvidual maintainers/vendors. We feel they deserve some credit for
attempting to address the problems sent to them. As far as FIRST groups
go, AUSCERT does a very good job. Credit where credit is due.
/*************************************************************************
Alfred Huger Phone: 403.262.9211
Secure Networks Inc. Fax: 403.262.9221
**************************************************************************/