lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 05 Feb 2004 11:05:01 -0500
From: Andrew Fried <afried@....fed.gov>
To: "Eggers, Bill A [LTD]" <William.A.Eggers@...l.sprint.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Hysterical first technical alert from US-CERT


I'm a little surprised by some of the critical reactions to the 
US-Cert's issuance of the MyDoom alerts.

Being in the federal sector, I can tell you that the predecessor to 
US-CERT (FedCIRC) received ongoing criticism from the government 
computer security circles for untimely advisories.  FedCIRC was overly 
cautious about validating information before disseminating it.  The 
result was that advisories were released so long after the event that 
they proved to be of little benefit to those of us on the front lines 
trying to mitigate problems.  The joke used to be that we'd read about a 
problem on Bugtra or NANOG, then a week later see the same information 
from FedCIRC.

When DHS formed US-CERT, they held meetings around the country with a 
variety of groups, not just federal security types, and the most 
resounding request they got was to release alerts and advisories as soon 
as possible. Many suggested that late breaking advisories be labeled as 
preliminary, but released just the same.  To US-CERT's credit, they 
listened to those requests and what we saw with MyDoom was advisories 
being released within hours of the onset of an incident.

Behind the scenes, US-CERT has established a number of secure channels 
to facilitate information sharing among federal agencies.  They've 
established working groups which include private sector membership. 
They're ramping up some new initiatives that will bring much needed 
resources to the government such as labs to analyze malware.  In my 
mind, this group is trying to focus on cybersecurity needs with the same 
intensity that NASA did to get to the moon.

I'm not trying to make any sales pitch here, and want to state that I do 
not work with for DHS or US-CERT (which is part of DHS).

Andrew Fried
Senior Special Agent
Treasury Inspector General for Tax Administration

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ