Sir, I thank your for your comments, and agree that perhaps this was not the
correct forum, however give the vast reach of the people monitoring this list,
the variety of responses, and opinion would have been usefull.
Unfortunatly, either I mis-explained myself, or you mis-understood. The
purpose of CRAAB is to enable automation of tools to discover
vulnerabilities. At present CERT does an excellent job of keeping the
security world posted, however it is unreasonable for Miss Jane Bloggs, sat at
home on her windows 98 pentium III 500, to know aboult, let alone moniter
CERT. Disregard for EVERYONE is the commonality that has thus far allowed
remote penetratrion of machines through such mechanisms as VERY WELL KNOWN RPC
VULNERABILITIES, which have further permitted the recent DDoS attacks.
Your candid disregard for this simple fact may explain how eager you were to
disregard my suggestion without quandry.
In addition to 'la fammile Bloggs' the fact that CERT caters mainly for OS's (
although admittedly not exclusivley ) however there are many products
installed in corporate environments, ISP environments and the home user
environment that can, and do, cause vulnerabilities in the security of that
system. Many of these products never make it to CERT.
Maintaining levels of code on systems ( such as keeping up to date with
Sendmail or Kerberos ) are vital tasks, which may have a delay of a few days
from being released to Mr Sys Admin discovering this fact. Utilising the
suggestion of CRAAB, this information can be automatically discovered by
ANYONE with an interest in product X, spanning the whole sphere of what a user
has on their machine, not just the OS.
>> Further, it
>> could be extended to download the fixes identified, even install them.
>Somehow, that doesn't sound like a step in the right direction, but
>maybe that's merely because third party patch serving schemes have had
>such interesting histories.
Agreed, this is where deeper consideration is required. Steps such as this
have allready been made, like Flash upgrading the OS of your cable receiver
over the cable feed for example. Installation is an option that need not be
considered, however an option it is.
>> ... Monitoring your emails because you subscribed to
>> 70 different bug-traq esque lists is OK, but an automated alerting
>> system ( as this could easily become ) would be less infallible ...
>If you watch 70 different bug-track lists, then you must like hearing a
>lot of noise and nonsense. Most reports of security problems from most
>sources are rumors of misunderstood problems or worse. Even CERT is not
>immune to the Chicken Little Syndrom.
Please accept my appologies for attempting mild humor, or slight sarchasm.
however these were bug traq ESQUE and not BUG TRAQ - per se. An attempt to
illustrate that if you install an OS, and 15 different applications for
example then it is clearly possible that you could b monitoring approx 20
lists, an OS bugs/fixes list, CERT / SANS / X-Force / AUSCERT etc, plus each
product mailing list looking for developments and incrimental corrections.
Just think how many web sites you visit in 1 day ( disregarding Playboy ) just
to keep up on development ( in terms of codefixes ) for your system.
Remember that the view of security does not just include the "OH damn XYZ has
been broken into" and given that the vendors the Chicken Little Syndrome can
be avoided - ie only verified occurences get entered, this is the realm of
process however. As said vendors would supply the data so, as opposed to
sifting through CERT Advisories for the Vulnerable Systems section to see if
this one applies to your OS, you can focus immediatley on ONLY those products
/ systems you have. your CRAAB agent could run twice daily, examine CRAAB and
then report any findings directly to you.
This cuts across many fields such as Databases, Cryptography, Systems
Integration / Impplimentation and others.
Anyway, I thank you for your comments and welcome anyone to send their
comments directly do me if they fear that this conversation may pollute the
waters that are these mailing lists I also appologise if my candid, pseudo
sarchastic method of penning ( typing ) offends you - just making light of the
corespondance...Thanks
Garreth J...
Vernon Schryver wrote:
> > From: Grreth Jeremiah <[EMAIL PROTECTED]>
>
> > ...
> > Given any heterogeneous environment, platform or network, an
> > administrator/security professional often needs to keep track of
> > multiple OS bug lists. ...
>
> > My suggestion is to create an Internet Database where vendors /
> > Emergency Response Teams, may put information in a SPECIFIC format
> > regarding security alerts etc.
> > ...
>
> How is this problem related to the work of the IETF? Isn't the
> IETF supposed to be about protocols?
>
> How would this suggestion differ from CERT, besides trivia such as who
> sponsors the announcements and pays for the people and computers?
>
> > Each vendor could be issued with a bit pattern representing them, and
> > they may then implement their own bit pattern representing their various
> > ...
>
> Vendors already contact CERT when they discover serious security problems,
> and CERT already talks to vendors about reports from the field. They even
> use encruption, maintain mutual emergency contact lists, and so forth.
>
> > The overall effect would enable automation to be written that could
> > query this database ( perhaps simple SQL ) and inform you when one of
> > the products that you manage has a defect of some sort.
>
> If you don't like the serch facility at www.cert.org, why not send
> them some suggestions?
>
> > Further, it
> > could be extended to download the fixes identified, even install them.
>
> Somehow, that doesn't sound like a step in the right direction, but
> maybe that's merely because third party patch serving schemes have had
> such interesting histories.
>
> > ... Monitoring your emails because you subscribed to
> > 70 different bug-traq esque lists is OK, but an automated alerting
> > system ( as this could easily become ) would be less infallible ...
>
> If you watch 70 different bug-track lists, then you must like hearing a
> lot of noise and nonsense. Most reports of security problems from most
> sources are rumors of misunderstood problems or worse. Even CERT is not
> immune to the Chicken Little Syndrom.
>
> Vernon Schryver [EMAIL PROTECTED]
