> > > Gene Spafford says: > > If someone's site has been broken into, CERT will respond to the phone > > 24 hours a day. Maybe their response isn't always as complete as some > > people on this list and elsewhere would like. But they do respond, > > and they do try to help sites get cleaned up after incidents and back > > "on the air". They have responded to thousands of incidents, many for > > admins at sites who had no where else to turn and no clue what to do. > > I was in the position of calling up CERT during the last set of > Sendmail trouble. They could tell me nothing of value. I was in a > position of trying to decide whether the threat to the company I > worked for was sufficient to shut down production work going on over > the internet to defend us -- making the wrong decision, either way, > would cost us big time. CERT was a useless lump of merde so far as I > could tell. > [ Diatribe deleted ] If there is one "useless lump or merde" sitting anywhere on the Internet, it is Sun Micro. If they had begun shipping a version of sendmail that had closed up the known security holes when they were discovered (has it been 3 years now?) half of these problems would never have arisen. I seem to that my first introduction to the sendmail holes was back when SunOS 4.0.x was still a pretty neat thing. Then they proceeded to ship insecure sendmails with every release through 4.1.3 along with a note to the effect of "we know this is insecure, and the patch is available, but we are just too damn slack to put it into the the release version." As for CERT, I think you hit the nail on the head when you said that your help came from "personal contacts", "personal friends" and "people at Sun". I.e. people who know you and your intentions along with the people should have been responsible for getting it right in the first place. This is opposed to a high profile organization, who probably get calls from every pinhead on the internet thinking they can bamboozle CERT into giving away some information that'll help them get a copy of their programming languages final. CERT has been very helpful in helping us clean up after one of our systems (a sun, imagine that) had been compromised by some two-bit hack with a box of pre-written tools that he most likely got from someone else on the net. They have also been prompt and forthright with new information they've received from other sites this person has targeted, as well as in coordinating the communication between us and the ASSIST team, the .mil counterpart to CERT. And as for the impression that CERT is a bunch of "smart-assed college kids willing to jerk me around for the sake of playing secret agent...", I'd like to state that the CERT investigator that has been in contact with me has been nothing but professional, helpful and knowledgable without delusions of grandeur about having all this "information too valuable to tell." And when you consider that CERT has a grand total of 14 whole people to deal with an average of 7 new incidents every day, it's no wonder they don't have time to give out cracking tips to every Joe Blow who calls up and asks for them. Perhaps your company would be better off investing a little of their "multi-billion dollar" fortune on a system that didn't have a list of security patches as long as my arm, and perhaps even an administrator who is willing to do a little research on his own before whining about not having the clue-book. Let's put the blame back where it belongs, on the vendors who so graciously supply us with these security-hole-ridden operating systems. And not just Sun, another of my favorite 3-letter OS vendors loves to ship their machines with a "+" in the hosts.equiv file, that's secure. So that's my $.02, I guess I'll just sit here for a while and watch the flames roll in, for a while. Sincerely, A Satisfied CERT Customer. --------------------------------------------------------------------------- Eric Brunson brunson@scri.fsu.edu Unix System Manager / CM2 Manager 904.644.0188 Supercomputer Computations Research Institute Florida State University "The juvenile sea squirt wanders through the sea searching for a suitable rock or hunk of coral to cling to and make its home for life. For this task it has a rudimentary nervous system. When it finds it's spot and takes root, it doesn't need its brain any more so it eats it. It's rather like getting tenure." _Consciousness_Explained_ by Daniel C. Dennett