Earlier, Paul A Vixie wrote: > I think this anti-CERT sentiment is misplaced. If someone tells CERT about > a bug and CERT manages to tell the vendors about the bug, before _everybody_ > knows about the bug, then it seems to me that a good service has been done. [..] > a bad guy finds a hole > lots of bad guys use the hole > some good guy notices the hole being used, and tells CERT > CERT tells the vendors > some vendors get a binary patch together; others ignore it > CERT tells the world of the existence (but not details!) of the hole, > and gives references to the vendor's patches, and suggested > workarounds [..] One problem is the time difference between the first and last data points you have outlined. CERT quite often sits on "problems" for a considerable length of time (be it to wait for the vendor patch or otherwise). During that time, the underground is happily running around exploiting the "vulnerability" in question, until it reaches a threshold that prompts CERT to go out and give a warning about it. One particular instance of this is the "tcp sniffer" saga. CERT knew about this specific item of software somewhere in the order of 18 months before they made an announcement (brought on because its use had reached plague proportions). How many systems and network wide attacks would have been saved if CERT had made noise about the software 18 months earlier ? If you think about it, it's gross negligence on their behalf (don't blame the author of the software either ... ). Maybe if they decided to announce problems faster, rather than play god in terms of deciding when is the best time to tell the community about a particular vulnerability. Matthew. -- Matthew Gream Consent Technologies Sydney, (02) 821-2043 M.Gream@uts.edu.au