spaf@cs.purdue.EDU (Gene Spafford) (04/08/90)
If you want to report a security bug or problem, your best bet is to
report it to the CERT (Computer Emergency Response Team). Their
e-mail address is cert@cert.sei.cmu.edu
The CERT 24-hour hotline is (412) 268-7080. They will accept (and
solicit) reports of any security flaw in software/hardware in systems
currently on the Internet, and they will also accept reports of
breakins and security incidents in progress.
The folks at the CERT have ties in to most major vendors, they take
reports very seriously, they keep the information confidential until
fixes are available, and they don't dally when they get a report.
They also have good contacts and working relationships with the
various law enforcement agencies that would respond to problems you
may be having. The CERT does no investigation on its own, and has no
explicit jurisdiction or authority over security or law -- they are
just a trusted crisis center that can direct your reports to the most
appropriate parties.
If you want to submit something to the security mailing list, you can
mail it to "security@cpd.com" or "zardoz!security". Mailings to this
list will reach people at major vendors, including DEC, AT&T and Sun,
as well as the CERT and admins at many major sites. Note that the
list may go to some unprotected sites, and anything appearing in the
list is assumed to be known to the "bad guys" shortly after posting,
so please use care in sending in news of gaping holes that cannot be
fixed (send them to CERT, instead).
If, for any reason, you do not wish to be associated with a report to
the CERT or a security list, you can send reports to me. If I receive
a report via email (or phone -- 317-494-7825) with a request to
forward it anonymously, I will be happy to pass it along to the
appropriate place with all identification stripped. I will also pass
along other reports, too, if you ask me to. That assumes you feel you
can trust me, of course. (1/4 :-)
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spafed@braaten.doit.sub.org (Ed Braaten) (04/09/90)
In article <LYNDON.90Apr5115012@orthanc.AthabascaU.CA> lyndon@cs.AthabascaU.CA (Lyndon Nerenberg) writes: > >I thought once upon a time that a moderated newsgroup would be a >good way to disseminate information about system security. The >few times this has been mentioned there seemed to be considerable >opposition to it. Due to the nature of some of the material that >would be posted I can see how some system administrators would be >a bit nervous about all their users having access to the information. Of course I would be nervous, but it is my responsibility to protect my users by applying this information. How can I do this if I don't have the info? >However, I don't consider burying ones head in the sand as a good >way of dealing with system security issues. I don't either. And as has already been stated by several others, most of us doing system administration duties don't have the time to try to find all the security holes in our systems. I am thankful for any tips I can get on potential security problems. > >Perhaps the net is now ready for a moderated security newsgroup >in the alt heirarchy. This allows sites to join into the discussion >by their own choosing, rather than at the whim of a mailing list >maintainer. Paranoid folks could ignore the problem by not subscribing. > >Comments? I would like to see this happen. Hiding the information is nonsense! I'm 100% for such a newsgroup. -------------------------------------------------------------------------- Ed Braaten | "For the wages of sin is death, but the Work: ed@imuse.intel.com | gift of God is eternal life in Christ Home: ed@braaten.doit.sub.org | Jesus our Lord." Romans 6:23 --------------------------------------------------------------------------