Re: [Full-Disclosure] CERT, Full Disclosure, and Security By Obscurity

From: Georgi Guninski (guninski@guninski.com)
Date: 01/30/03

  • Next message: Blue Boar: "Re: [Full-Disclosure] CERT, Full Disclosure, and Security By Obscurity" 
    From: Georgi Guninski <guninski@guninski.com>
To: Ben Laurie <ben@algroup.co.uk>
Date: Fri, 31 Jan 2003 00:21:05 +0200

    Ben Laurie wrote:
    > Len Rose wrote:
    >
    >> With the recent evidence that CERT informed it's paying members about
    >> the Sapphire SQL worm before the rest of the world should now indicate
    >> that they too are not a useful resource for timely and open security
    >> information.
    >
    >
    > This is news why? CERT told me that is what they wanted to do when I
    > was, errm, in dispute with them over timing of the release of the
    > OpenSSL holes last year. I believe I mentioned it at the time.
    >
    > That's one reason I won't pre-notify CERT (or, indeed, anyone else
    > [other than the vendor]) anymore.
    >

    According to:
    http://www.businessweek.com/technology/cnet/stories/982663.htm
    ".....But Litchfield said he felt "a betrayal of trust" because CERT had "leaked
    (the information) to certain organizations and government departments" before
    passing it on to IT workers...."
    There was more interesting article on eweek yesterday.

    Recently when I notified some vendors about a vulnerability, I wrote something
    like a license agreement that the info should not be disclosed to m$, cert,
    mitre, sf and others.

    Georgi

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • RE: [fw-wiz] CERT vulnerability note VU# 539363
      ... I've looed a bit more at the CERT site. ... Vendor Statement ... eliminate the impact of any of the proposed DoS attacks. ... >> In my opinion if a stateful firewall claims it can filter at rate X ...
      (Firewall-Wizards)
    • RE: Whose X do I need to X to get on CERT?
      ... I was extremely impressed with their responsiveness and we had our ... Whose X do I need to X to get on CERT? ... When CERT's recent SNMP advisory came out ... On its major advisories CERT advertises a "Vendor Information" ...
      (Bugtraq)
    • [fw-wiz] OBSD reaction to CERT advisory
      ... such as a CERT vulnerability note, ... did the first or second time around (We've gone from SACKs to TCP ... Between this, misspelling Mikael's last name, and the fact that his vendor ... and writing it in the first place makes the OBSD team look like ...
      (Firewall-Wizards)
    • Re: [Full-Disclosure] CERT, Full Disclosure, and Security By Obscurity
      ... > With the recent evidence that CERT informed it's paying members about the ... > Sapphire SQL worm before the rest of the world should now indicate that ... CERT told me that is what they wanted to do when I ...
      (Full-Disclosure)
    • Re: [fw-wiz] Variations of firewall ruleset bypass via FTP
      ... > only a single vendor listed as "vulnerable". ... > minutes ago fixed that vendor's vulnerability. ... Would I like to see which firewalls failed testing? ... > listed in the CERT advisory, therefore, is *not* helpful to me. ...
      (Firewall-Wizards)