I don't have much to say about The Open Group taking X private. I don't like it, but that's neither here nor there. My concern is that CERT has let itself be used as a marketing tool. To be fair, I believe it was accidental. There are two types of CERT postings: advisories and vendor initiated bulletins. The former are what gets passed around among vendors before CERT releases the information, and they contain exploit information. They usually concern common code that lots of systems share, and for that reason are of interest to multiple vendors. The latter are precisely what the name implies -- vendors give the CERT information and CERT disseminates information as to where patches are available to users of those systems. The idea is that vendor-initiated bulletins are specific to a vendor, so there's no reason to provide exploit information to other vendors. What happened in this case was that The Open Group gave CERT a vendor bulletin, but it was concerned code shared by other vendors. Because the problems were in common code and the bulletin explicitly stated that the common versions were vulnerable, the bulletin's message became "there's a security problem in your systems, and if you don't buy software from us, your children will eventually have to beg for food in the streets." This is a slippery slope. When BSDI finds a security problem in common code, we tell CERT about it, and we provide exploit code to them, because we know that when CERT finds out about problems in common code from Sun or FreeBSD, we'll get exploit code from them. This only works if all the vendors play by the same rules. If the rules have changed, I think you can confidently expect to see vendor initiated bulletins from BSDI that read something like: We have found a horrible, awful life-threatening problem in the TCP/IP stack, and Solaris is vulnerable! If you don't buy BSDI systems, hackers will have cancelled all of your credit cards by tomorrow evening. Nyah, nyah, nyah! Again, I believe this was accidental on CERT's part, and I don't think it had to have been malicious on The Open Group's part. Holding back information for a week while your customers get a preview is something that most companies have done from time to time. That said, we have a problem, and both CERT and The Open Group need to fix it: 1. The Open Group should immediately release full information for the X bugs they've reported (including exploits), to CERT. 2. CERT should immediately circulate that information to the usual vendors/groups. 3. CERT should publicly state that their policy is that vendor initiated bulletins should not concern common code shared by vendors, and advisories about common code should include information sufficient for other vendors to fix their systems. Obviously, in the future, The Open Group can choose not to send exploit information to CERT, that's their choice. Alternatively, The Open Group can send CERT vendor-initiated bulletins, but in that case, they should not mention code that is used by other groups, regardless of other groups being at risk. CERT cannot function as it has up to now, if it permits itself to be put in the position of providing a marketing advantage to a vendor. So... I'd suggest if you haven't already done so, call CERT and let them know that you're concerned. There's a problem here, and it needs to be fixed. Keith Bostic BSDI bosticat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:04 PDT