On 10/9/07, Steven Adair <[EMAIL PROTECTED]> wrote: > > I think you guys are both mixing up CERT (cert.org) and US-CERT > (us-cert.gov) -- both of which have very different functions. As > mentioned though, you probably wouldn't want to call either if your > Internet goes down. > > Steven > > They both suck though, and its not clear cut who is responsible for what. > The US-CERT vulnerability and incident report proceedure sends e-mail to > both US-CERT and CERT.
Also it was the US-CERT bulletin alert e-mail which had [EMAIL PROTECTED] in it, so those folks who are ment to be running an emergency response team better get their shit together, People want to know where to tell the government about something, and the government should be approachable. lots of folks are scared to contact the government directly about shit, incase it draws attention to them and they end up getting into trouble for something completely different. I also believe the spying and undercover work that goes on on irc channels for example is stupid, and befriending folks to get information on the latest security news is wrong. If there were known government folks on the irc channels and they were open about who they were, the government would gather far more intelligence about hacks than being undercover. Trust me, the government think they need to be undercover to get the best intelligence, but the way I see it, the government would be suprised how many folks come forward in a friendly way if they said, yes i work for cert or the dhs, i'm a cyber security contact if anyone wants to talk to me about anything. the government need to get this whole situation sorted out with tricking and entrapping folks on irc and other places. while i know in some investigation work undercover is the way to go, there is also a need for the government to be more open with the security community when lurking around the underground communities. the government should have a "cyber security contact" in the major public underground irc channels, not the whole big undercover operation the government currently run. plus, i don't believe their keyword data mining uncovers everything the government should know, conversations on the internet by the bad guys are often crafted in a certain way, because they know they are being monitored, now if the government had open points of contact for the underground to talk to, who were friendly approachable people, then the government would do far better in public relations with the computer security community than they do at present. i'm sick of the government as it currently stands, i'm sick of the government and their intelligence services thinking the only way to find out about things is to be undercover and have sophisticated intelligence collecting software. trust me, if the government were just open with everyone everyone would be the winner. there are people that are happy to give vulnerabilities, zero-day and intelligence to the government, and you want to know why? because not everyone likes everyone, so its within the hackers agenda to give zero-day to the government which belong to their enemies, to cancel out the enemies own agenda. back in the day when i first began the whole hacking thing, i would backstab my friends by telling yahoo security team what they were upto and give them zero-day software, to get patched, this is so, their zero-day were patched out, but my stuff wasn't. so there are always reasons why the security community would approach the government if their was a friendly approachable representaitive in all the major public communties. what i want the government to get away from is the impression people have of them and thats "big bad government with dark security services posing as normal people in communities", and not just online communities, i mean in real life as well, they have folks in towns and cities as well, doing devious undercover general surveillance, but if the government were just open with folks, things would be a lot easier. while full-disclosure is close to being a point of contact to disclose things, there would be a lot more unearthed if their were human points of contacts in the major public communities, because a mailing list isn't always the way people want to contact the government and an online e-mail form on a website isn't always suitable for the hacker either, hackers want human interaction with the government over irc, and other forms of real time communication. stop the whole devious government thing, and get open points of contacts within communities. hackers don't want to use online e-mail forms and hackers want assurances that they won't become suspects themselves for being informants to a human cyber security point of contact on mediums such as internet relay chat. so yeah, government, stop the whole hiding away in control centers and designing sophisticated software, if you actually get humans into communities to talk with the security communities over current affairs, you would gather the right kind of intelligence about people and hacks, which is quality information, that doesn't need intelligence analysts to rub their heads for hours wondering, "is this a credible threat or is this guy just joking around". the dhs and cert have got the whole public relations thing with the underground at present all wrong, you need folks like me with a fresh approach to everything, instead of ramping up a "war on terror" which cannot be won. all wars begin and end in dialog, so take that into the cyber security arena and get some friendly nicknames around the internet communities which are known by the good and bad guys... and you will rake in the rewards. at the moment there is no cyber terrorist threat out there, but that doesn't mean there always won't be, so its better to get into the underground security communities in the early on years, so in 5 to 10 or 15 years time when cyber terrorism is a real threat then you'll know who everyone is in the major public security communities and you'll have people within those communities who are approaching you on a daily basis to update you on whats going on in the security community. money isn't needed. while in real life, with drug scene informants, they want money to inform the government about folks, this isn't the case online, because its not as dangerous for a member of the public to be devious and collect intelligence on folks. what i'm suggestiing is i know many folks who would give free intelligence for no money, just to cancel out their rivals, and just to generally be helpful because they are bored, than to demand a certain sum of money for a certain level of importance of intelligence tip off. what i'm suggesting is these open points of contact i want setup would only be there for folks to volenteer information on a free basis, and anyone starting to blackmail those point of contacts for cash would simply be ignored. whats needed is open human points of contact who are approachable on the basis of certain individuals coming forward to give free intelligence, not to be a way for that individual to cash in, on the social circles he is involved in or the zero-day software he has acquired. to get back to the beginning, the whole contacting cert and dhs is currently wrong in relation to the cyber security community, your website sucks, and its not a friendly and approachable looking site for everyday hackers, script kids and security professionals to use. the whole dhs/us-cert badge/logo/graphics etc scare people away. if your site was less big bad serious government looking, then maybe folks would send you a lot more voluntary intelligence, but like i've already said, e-mail forms don't attract the underground, get known nicknames into communities, its the only way forward if you really want to get ontop of the whole cyber security scene, now in the early years before real threats start to gather as the whole cyber terrorism threat is being ramped up for future years. stop the whole we're the big bad serious dhs and cert and get your big government sovereignty logos etc taken off sites which are supposed to be designed for the underground contacting you. at the moment your the big scary dhs and cert, it doesn't need to be that way. become friendly and approachable, become open and honest in underground communities and quit undercover work and devious befriending for general surveillance and intelligence gathering. whats wrong, you can have both undercover folks and have known cyber security contacts in underground communities, whats there to lose? absolutely nothing.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/