Gene Spafford says: > If someone's site has been broken into, CERT will respond to the phone > 24 hours a day. Maybe their response isn't always as complete as some > people on this list and elsewhere would like. But they do respond, > and they do try to help sites get cleaned up after incidents and back > "on the air". They have responded to thousands of incidents, many for > admins at sites who had no where else to turn and no clue what to do. I was in the position of calling up CERT during the last set of Sendmail trouble. They could tell me nothing of value. I was in a position of trying to decide whether the threat to the company I worked for was sufficient to shut down production work going on over the internet to defend us -- making the wrong decision, either way, would cost us big time. CERT was a useless lump of merde so far as I could tell. They could tell me nothing useful to evaluate the threat, and they could not or would not tell me anything about how to fix it. Not even the most general questions were answered. "Can the problem be used to penetrate a machine that you don't have direct TCP access to?" "We can't tell you." "Can the problem be fixed by removing the PROG mailer?" "We can't tell you." "Can the problem be used to gain root access directly, or only access as daemon or the like." "We can't tell you." I'm sure Gene will say "it was Sun's responsibility to fix your problem". Well, that may be so, but on the other hand, it was my responsibility to fix the problem -- if we'd had a penetration my management would not have forgiven me on the basis that our vendor let us down. I would have been fired -- deservedly. I didn't have time to play childrens games about who could tell what to whom. I wasn't even concerned about open disclosure as a matter of principle -- I just wanted disclosure to ME as a matter of practical necessity. Ultimately, I was forced to go to personal contacts to find out sufficient information. There were people at Sun and personal friends who understood that I had a multi-billion dollar brokerage and trading operation to worry about; I got the impression the CERT people we smart-assed college kids willing to jerk me around for the sake of playing secret agent with information too valuable to tell. Certainly nothing wouldhave happened to anyone at CERT were I penetrated -- I doubt they have any accountability to anyone. No one there could even give me a proceedure to clear myself as trustworthy -- there was simply no way to get "there" from "here". Perhaps you will say that it wasn't their function to help me. If their function was not to help me, then why bother giving out their phone number in the first place? Why send out alerts? Its a cruel trick to hand someone a phone number and then have the person on the other end as responsive as a rock. Frankly, I'm glad bugtraq is here and I don't have to rely on them anymore. Perry