Forwarded from: security curmudgeon <jerichoat_private> > http://www.wired.com/news/infostructure/0,1377,58106,00.html > > By Brian McWilliams > March 19, 2003 > > Riley Hassell was bewildered this week when details from a > confidential bug report he had written mysteriously showed up on a > popular security mailing list. > Hack4life apparently intercepted both documents from the Computer > Emergency Response Team, a federally funded security information > clearinghouse. CERT officials confirmed this week that CERT had been > working with eEye and MIT researchers to coordinate the release of > the advisories. According to CERT, intruders may have hacked into > systems operated by any of the dozens of affected vendors who > received advance copies of the advisories. > > "It is possible that these messages were posted as a result of a > compromise of a vendor's system, and we are advising them to look > for signs of a compromise," said Shawn Hernan, vulnerability > handling team leader for CERT. > CERT also gives an advance warning about flaws to members of the > Internet Security Alliance, an information-sharing consortium. ISA > members pay a fee to CERT to receive early notification of > vulnerability information. Shawn Hernan simply can't be that naive .. can he? These pre-warnings go to vendors AND members of the ISA, a vulnerability cartel (aka information-sharing consortium). Yet he suggests that the vendors notified look at their systems for compromise? It had to occur to him that one of the vulnerability cartel members has an insecure system or upstream that allowed this comropmise. But hey, they are paying customers, can't shine any negative light on them right? That's what they are paying for. > In January, Mark Litchfield, a security researcher with NGS > Software, threatened to boycott CERT after learning that information > his company confidentially provided to the clearinghouse was > distributed first to ISA, and only weeks later to the general > public. How many times has this happened? When is this *federally funded* group going to be held accountable for their actions? Our tax dollars are funding them to put this information in the hands of people paying them money, and not in my hands in a timely fashion. > In a posting to the list Monday, Rose said he refused Yu's request, > because such a move would violate the editorial integrity of the > list's archives. Yu was not immediately available for comment. That and the post would pop up on a dozen web sites within minutes of it being pulled down. Does Yu forget this is a mailing list and copies of the posts get distributed to thousands of people? > CERT representatives declined to say when the organization planned > to release official versions of the leaked advisories. Even with leaked draft copies, CERT still can't release anything ontime. Go figure. Previous Cert antics: CERT Rides the Short Bus http://www.attrition.org/security/rant/z/jericho.002.html Cashing in on Vaporware http://www.attrition.org/security/rant/z/jericho.007.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 03:02:57 PST