Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!apple!mips!zaphod.mps.ohio-state.edu!sdd.hp.com!elroy.jpl.nasa.gov!ames!haven!decuac!shlump.nac.dec.com!tkou02.enet.dec.com!diamond
From: diamond@tkou02.enet.dec.com (diamond@tkovoa)
Newsgroups: comp.sources.d
Subject: Re: Security, not obscurity.
Message-ID: <1443@tkou02.enet.dec.com>
Date: 9 Apr 90 02:46:10 GMT
References: <16900@well.sf.ca.us> <1990Mar29.055350.2922@Jhereg.Minnetech.MN.ORG> <1105@rwing.UUCP> <2364@sialis.mn.org> <LYNDON.90Apr5115012@orthanc.AthabascaU.CA> <291@van-bc.UUCP> <10263@medusa.cs.purdue.edu>
Reply-To: diamond@tkou02.enet.dec.com (diamond@tkovoa)
Organization: Digital Equipment Corporation Japan , Tokyo
Lines: 35

In article <10263@medusa.cs.purdue.edu> spaf@cs.purdue.edu (Gene Spafford) writes:

>If you want to report a security bug or problem, your best bet is to
>report it to the CERT (Computer Emergency Response Team).  Their
>e-mail address is cert@cert.sei.cmu.edu
>The CERT 24-hour hotline is (412) 268-7080.  They will accept (and
>solicit) reports of any security flaw in software/hardware in systems
>currently on the Internet, and they will also accept reports of
>breakins and security incidents in progress.

Yup, they will ACCEPT and SOLICIT these reports.  But if I understand
the messages in this newsgroup correctly, they won't tell the submitter
(or most other innocent sysadmins) how to protect themselves against
these same reported bugs.  Have I misunderstood most of the recent
messages in this group?

>Note that the
>list may go to some unprotected sites, and anything appearing in the
>list is assumed to be known to the "bad guys" shortly after posting,

Yup, and it STILL doesn't get sent to most of the "good guys".
But surely the "bad guys" often share the information with each other.

Gene Spafford says that he assumes that reported bugs go MOSTLY to
the bad guys.

Most of the net needs an unrestricted group.  Furthermore it belongs
in comp.* rather than alt.*, so that most sysadmins can receive it.

(Disclaimer:  I am not a sysadmin.  Maybe I assume too much.  Maybe
most sysadmins are not innocent, or they don't care.  Yeah, sure.)

-- 
Norman Diamond, Nihon DEC     diamond@tkou02.enet.dec.com
This_blank_intentionally_left_underlined________________________________________