Subject: [Full-Disclosure] CERT, Full Disclosure, and Security By Obscurity Date: Thu, 30 Jan 2003 09:22:07 -0500 From: Len Rose <len AT netsys DOT com> To: full-disclosure@lists.netsys.com I'm not usually allowed to have an opinion since I moderate the list (in whatever sense that may mean for an unmoderated list) however, I would like to say something about CERT and revisit why we created this list. This list was created because we saw an ever-increasing trend to hide, delay, distort, and totally bury security information for commercial gains, or to protect certain priveleged entities (government, or paying customers) from security issues. As more and more security researchers make the crossover from research into commercial security provider the trend increases as their customers exert some pressure on them to stop releasing such dangerous information, or as they see a commercial advantage to only making the information available to those who will pay. Without condemning them at all, I have to point out that this often has an effect of leaving the rest of the internet community in the dark, often at the mercy of those who are privy to information that the average security person, or systems team can't possibly know without lists like Full Disclosure. With the recent evidence that CERT informed it's paying members about the Sapphire SQL worm before the rest of the world should now indicate that they too are not a useful resource for timely and open security information. As such, CERT has joined the list of special interest security entities for whom there are other agendas that take precedence over the interests of the internet community as a whole. Perhaps a new cooperative effort should take the place of CERT if it can avoid being prohibited from full disclosure by having it's funding tied to keeping private and government interests informeed at the expense of keeping the internet community informed of all security threats. In the knee-jerk reactions to the events on September 11, the Pax Americana campaigns around the globe, and now the recent march to Security By Obscurity, lists like Full Disclosure, and the security information it hopes to provide may well become illegal (at least here in the US) To summarize my opinion, I feel that security information must simply be made available to as many people as possible as quickly as possible, and let corporations, systems staff, and security professionals handle the problems. "The public has a right to know.." and any comparisons to dislosing national security technology to the full disclosure of software and network security problems should be totally ignored as they simply don't apply. (Gee, I never thought there would be such a thing as the Ivory Tower Security Establishment, but look, Ma.. they've all grown up..) Len _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Last modified: Thu Jan 30 07:42:24 PST 2003