Xref: utzoo comp.sources.d:5161 news.sysadmin:2861 Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!purdue!spaf From: spaf@cs.purdue.EDU (Gene Spafford) Newsgroups: comp.sources.d,news.sysadmin Subject: Re: Security, not obscurity. Message-ID: <10263@medusa.cs.purdue.edu> Date: 8 Apr 90 01:31:16 GMT References: <16900@well.sf.ca.us> <1990Mar29.055350.2922@Jhereg.Minnetech.MN.ORG> <1105@rwing.UUCP> <2364@sialis.mn.org> <291@van-bc.UUCP> Sender: news@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Followup-To: comp.sources.d Organization: Department of Computer Science, Purdue University Lines: 40 If you want to report a security bug or problem, your best bet is to report it to the CERT (Computer Emergency Response Team). Their e-mail address is cert@cert.sei.cmu.edu The CERT 24-hour hotline is (412) 268-7080. They will accept (and solicit) reports of any security flaw in software/hardware in systems currently on the Internet, and they will also accept reports of breakins and security incidents in progress. The folks at the CERT have ties in to most major vendors, they take reports very seriously, they keep the information confidential until fixes are available, and they don't dally when they get a report. They also have good contacts and working relationships with the various law enforcement agencies that would respond to problems you may be having. The CERT does no investigation on its own, and has no explicit jurisdiction or authority over security or law -- they are just a trusted crisis center that can direct your reports to the most appropriate parties. If you want to submit something to the security mailing list, you can mail it to "security@cpd.com" or "zardoz!security". Mailings to this list will reach people at major vendors, including DEC, AT&T and Sun, as well as the CERT and admins at many major sites. Note that the list may go to some unprotected sites, and anything appearing in the list is assumed to be known to the "bad guys" shortly after posting, so please use care in sending in news of gaping holes that cannot be fixed (send them to CERT, instead). If, for any reason, you do not wish to be associated with a report to the CERT or a security list, you can send reports to me. If I receive a report via email (or phone -- 317-494-7825) with a request to forward it anonymously, I will be happy to pass it along to the appropriate place with all identification stripped. I will also pass along other reports, too, if you ask me to. That assumes you feel you can trust me, of course. (1/4 :-) -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf